PCI-DSS compliance using Redhat/CentOS 7 question?

LinuxQuestions.org

Welcome to the most active Linux Forum on the web.

		LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
PCI-DSS compliance using Redhat/CentOS 7 question?

Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Welcome to LinuxQuestions.org, a friendly and active Linux Community.

You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!

Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.

Are you new to LinuxQuestions.org? Visit the following links:
Site Howto | Site FAQ | Sitemap | Register Now

If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.

Having a problem logging in? Please visit this page to clear all LQ-related cookies.

Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.

Exclusive for LQ members, get up to 45% off per month. Click here for more info.

Reply

Search this Thread

10-03-2019, 01:24 AM	#1
wanconcepts LQ Newbie Registered: Sep 2010 Posts: 5 Rep:	PCI-DSS compliance using Redhat/CentOS 7 question? Could be reaching here but... Does anyone have a fix for a "Statistical Weaknesses in TCP/IP Initial Sequence Numbers" running on RedHat/CentOS 7 ??? Below is a snippet of a testing service result used by a credit card company telling me my firewall has this weakness. When searching through the articles at RedHat and Ubuntu forums they seem to poo poo the weakness, as at worst case, an attacker could only see one side of the packet transmission by guessing the sequence of the next packet and inject data into the session stream causing a reset of the network which would be handled by TCP dropping the packets without acknowledgement and reestablishing the connection after a network reset. It appears that larger window sizes in this stream can be more vulnerable. A better description of the presumed weakness can be found here: https://resources.sei.cmu.edu/asset_...001_496192.pdf where you would search for CA-2001-09. I can't get "certified" without some change to the TCP/IP stack it appears??? SNIPPET Constant changes in initial sequence numbers observed in 21 out of 23 events. [ Sent Packets Results ] Packet 1 : TIME[1565914687.623586] SEQ[2969907 418] CHANGE[N/A] VARIATION[N/A] Packet 2 : TIME[1565914687.628568] SEQ[2988781 196] CHANGE[18873778] VARIATION[N/A] Packet 3 : TIME[1565914687.633579] SEQ[3007654 974] CHANGE[18873778] VARIATION[0] Packet 4 : TIME[1565914687.638578] SEQ[3026528 752] CHANGE[18873778] VARIATION[0] Packet 5 : TIME[1565914687.643564] SEQ[3045402 530] CHANGE[18873778] VARIATION[0] Packet 6 : TIME[1565914687.648570] SEQ[3064276 308] CHANGE[18873778] VARIATION[0] Packet 7 : TIME[1565914687.653565] SEQ[3083150 086] CHANGE[18873778] VARIATION[0] Packet 8 : TIME[1565914687.663571] SEQ[3120897 642] CHANGE[37747556] VARIATION[18873778] Packet 9 : TIME[1565914687.658571] SEQ[3102023 864] CHANGE[18873778] VARIATION[18873778] Packet 10 : TIME[1565914687.668566] SEQ[313977 1420] CHANGE[37747556] VARIATION[18873778] Packet 11 : TIME[1565914687.673565] SEQ[315864 5198] CHANGE[18873778] VARIATION[18873778] Packet 12 : TIME[1565914687.678571] SEQ[317751 8976] CHANGE[18873778] VARIATION[0] Packet 13 : TIME[1565914687.683572] SEQ[319639 2754] CHANGE[18873778] VARIATION[0] Packet 14 : TIME[1565914687.688572] SEQ[321526 6532] CHANGE[18873778] VARIATION[0] Packet 15 : TIME[1565914687.693567] SEQ[323414 0310] CHANGE[18873778] VARIATION[0] Packet 16 : TIME[1565914687.698572] SEQ[325301 4088] CHANGE[18873778] VARIATION[0]

Old

10-03-2019, 07:23 AM

#2

Ser Olmy

Senior Member

Registered: Jan 2012

Distribution: Slackware

Posts: 3,338

Rep:

Reputation: Disabled

Quote:

Originally Posted by wanconcepts

View Post

Does anyone have a fix for a "Statistical Weaknesses in TCP/IP
Initial Sequence Numbers" running on RedHat/CentOS 7 ???

That's a vulnerability in the TCP/IP stack of the operating system, and requires a fix from the OS vendor. In Linux, the TCP/IP stack is part of the kernel.

I find it highly unlikely that a semi-recent version of CentOS has this vulnerability. Which kernel are you running?

Quote:

Originally Posted by wanconcepts

View Post

Below is a snippet of a testing service result used by a credit card company telling me my firewall has this weakness.

Note that it's the firewall/router that has this issue, not the computers behind it.

I assume you're not using your CentOS server as a router?

Quote:

Originally Posted by wanconcepts

View Post

When searching through the articles at RedHat and Ubuntu forums they seem to poo poo the weakness, as at worst case, an attacker could only see one side of the packet transmission by guessing the sequence of the next packet and inject data into the session stream causing a reset of the network which would be handled by TCP dropping the packets without acknowledgement and reestablishing the connection after a network reset.

I would disagree with that assessment. Poor randomness in ISNs makes "blind spoofing" of a TCP connection a practical possibility, meaning it's possible for an attacker to hijack an existing TCP connection.

Quote:

Originally Posted by wanconcepts

View Post

where you would search for CA-2001-09.

And "2001-09" is a reference to a date. This is an ancient vulnerability that's been patched in just about every operating system in existence ages ago.

But you may have an old router/firewall running vulnerable firmware.

Quote:

Originally Posted by wanconcepts

View Post

I can't get "certified" without some change to the TCP/IP stack it appears???

Indeed. You need to get this fixed.

10-03-2019, 11:45 PM	#3
wanconcepts LQ Newbie Registered: Sep 2010 Posts: 5 Original Poster Rep:	Misidentifying the OS maybe??? I am running CentOS 7 as a firewall mostly because of the need for OpenVPN and other services being provided for the domain, such as ACL Zoned Bind etc. Hijacking an existing connection that is encrypted would seem to me to be rather difficult in spite of this weakness as all traffic to and from this firewall is encrypted. There are no public services such as apache, FTP etc. CA-2001-09 is a reference to the part of the article I listed above where a white paper describing the weakness is presented. This was provided to me by the testing company as a solution to fixing the problem. The testing company has misidentified the firewall OS as Cisco/OS (it's CentOS 7 not Cisco) and have suggested upgrading the Cisco operating system. In further review of the above listed document they purport to give solutions by OS to the problem. It states that an implementation of the RFC1948 is an acceptable fix to this vulnerability and furthermore the same article suggested by them, in that same section where they list fixes for multiple operating systems, they state: Linux The Linux kernel has used a variant of RFC1948 by default since 1996. Please see: http://lxr.linux.no/source/drivers/char/ChangeLog#L258 http://lxr.linux.no/source/drivers/char/random.c#L1855 Finally we use Linux as a firewall, not Cisco/OS, and I don't know why are they bugging us???

10-03-2019, 11:52 PM	#4
wanconcepts LQ Newbie Registered: Sep 2010 Posts: 5 Original Poster Rep:	Oh, by the way the kernel in use is 3.10.0-1062.1.2.el7.

Reply

centos7, firewall, redhat, tcp/ip, testing

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is Off HTML code is Off Forum Rules

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
LXer: Open Compliance in the Enterprise: Why Have an Open Source Compliance Program?	LXer	Syndicated Linux News	0	12-11-2016 12:41 PM
LXer: Open Compliance in the Enterprise: Why Have an Open Source Compliance Program?	LXer	Syndicated Linux News	0	12-08-2016 04:22 AM
LXer: PCI DSS Standards 2.0 Means Good News For Linux Xen VPS	LXer	Syndicated Linux News	0	09-07-2010 02:40 AM
[SOLVED] mod_security and PCI-DSS compliance with Breach Security's Enhanced Rule Set	rsciw	Linux - Security	2	07-21-2010 04:18 AM
Logging file access - PCI DSS	koobi	Linux - Security	6	09-21-2007 04:08 AM

All times are GMT -5. The time now is 07:10 AM.

Main Menu

Advertisement

My LQ

Write for LQ

LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.

Main Menu

Syndicate

Latest Threads

LQ News

Twitter: @linuxquestions

Open Source Consulting | Domain Registration