critical
9.1
CWE
NVD-CWE-Other
Advisory Published
CVE Published
Updated

CVE-2011-3188

First published: Tue Aug 23 2011(Updated: )

Dan Kaminsky pointed out that using partial MD4 and using that to generate a sequence number, of which only 24-bits are truly unguessable, seriously undermine the goals of random sequence number generation. In particular, with only 24-bits being truly unguessable, packet injection into a session using even something like brute force is a real potential possibility. We only use 24-bits because we regenerate the random number every 5 minutes "just in case." But what does is trade a "we don't know" kind of theoretical issue for a provably real one (brute force attack). Therefore [Dave Miller] moving us more in line with RFC1948 (as well as OpenBSD and Solaris), to use MD5 and a full 32-bit result in the generated sequence number. MD5 was selected as a compromise between performance loss and theoretical ability to be compromised. Willy Tarreau did extensive testing and SHA1 was found to harm performance too much to be considered seriously at this time. We may later add a sysctl for various modes (ie. a "super secure" mode that uses SHA1 if people want that, and an "insecure" mode that doesn't use cryptographic hashing at all for people in protected environments where that might be safe to do). [Dave Miller] also moved the sequence number generators out of random.c (they never really belonged there, and are only there due to historical artifacts), and fixed a bug in DCCP sequence number generation (on ipv6 the 43-bit sequence number was truncated to 32-bits). Acknowledgements: Red Hat would like to thank Dan Kaminsky for reporting this issue.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
debian/linux-2.6
Linux Kernel<3.1
Red Hat Enterprise Linux=4.0
F5 ARX Data Manager>=6.0.0<=6.4.0
F5 Access Policy Manager>=10.1.0<=10.2.4
F5 Access Policy Manager>=11.0.0<=11.1.0
F5 BIG-IP Analytics>=11.0.0<=11.1.0
F5 Application Security Manager>=10.0.0<=10.2.4
F5 Application Security Manager>=11.0.0<=11.1.0
F5 BIG-IP Edge Gateway>=10.1.0<=10.2.4
F5 BIG-IP Edge Gateway>=11.0.0<=11.1.0
F5 BIG-IP Global Traffic Manager>=10.0.0<=10.2.4
F5 BIG-IP Global Traffic Manager>=11.0.0<=11.1.0
F5 BIG-IP>=10.0.0<=10.2.4
F5 BIG-IP>=11.0.0<=11.1.0
F5 BIG-IP Local Traffic Manager>=10.0.0<=10.2.4
F5 BIG-IP Local Traffic Manager>=11.0.0<=11.1.0
F5 BIG-IP Protocol Security Manager>=10.0.0<=10.2.4
F5 BIG-IP Protocol Security Manager>=11.0.0<=11.1.0
F5 BIG-IP WAN Optimization Manager>=10.0.0<=10.2.4
F5 BIG-IP WAN Optimization Manager>=11.0.0<=11.1.0
F5 BIG-IP WebAccelerator>=10.0.0<=10.2.4
F5 BIG-IP WebAccelerator>=11.0.0<=11.1.0
F5 Enterprise Manager>=2.1.0<=2.3.0
F5 Enterprise Manager=3.0.0
F5 FirePass SSL VPN>=6.0.0<=6.1.0
F5 FirePass SSL VPN=7.0.0

Remedy

http://www.kernel.org/pub/linux/kernel/v3.x/ChangeLog-3.1

Remedy

http://www.openwall.com/lists/oss-security/2011/08/23/2

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=732658

Remedy

https://github.com/torvalds/linux/commit/6e5714eaf77d79ae1c8b47e3e040ff5411b717ec

Remedy

https://github.com/torvalds/linux/commit/bc0b96b54a21246e377122d54569eef71cec535f

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2011-3188?

    CVE-2011-3188 is considered to be a medium severity vulnerability as it can lead to potential session hijacking through predictable packet injection.

  • How do I fix CVE-2011-3188?

    To fix CVE-2011-3188, update your affected systems to the latest patched version of the Linux kernel or affected F5 software.

  • Which software is affected by CVE-2011-3188?

    CVE-2011-3188 impacts various versions of the Linux kernel, Red Hat Enterprise Linux 4.0, and several F5 BIG-IP products.

  • What type of attack is CVE-2011-3188 associated with?

    CVE-2011-3188 is associated with packet injection attacks that can exploit the vulnerability in the sequence number generation process.

  • Is CVE-2011-3188 still a threat?

    While CVE-2011-3188 has been remediated in newer versions, systems running outdated software may still be at risk.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203