CVE-2000-0328

Vulnerability

Windows NT 4.0 (Workstation, Server, Enterprise Edition, and Terminal Server Edition) generates predictable random TCP initial sequence numbers (ISNs) when establishing TCP/IP sessions. The TCP/IP stack provides insufficient entropy, allowing an attacker to predict future ISNs. [1]

Exploitation

A remote attacker with network access to a Windows NT 4.0 system can observe a sequence of ISNs from the target and calculate the underlying pattern. The attacker then uses the predicted ISN to forge TCP packets that appear to originate from a trusted IP address, enabling spoofing and session hijacking without needing local access. [1]

Impact

Successful exploitation allows the attacker to impersonate a trusted host (IP spoofing) and hijack existing TCP sessions. This can lead to unauthorized access, data manipulation, or further compromise of the affected system. [1]

Mitigation

Microsoft released a patch (MS99-046) on October 22, 1999, that improves ISN randomness to 15 bits of entropy. The fix is included in Windows NT 4.0 Service Pack 4 and later (Service Pack 5 and 6 for Intel and Alpha, and a specific update for Terminal Server Edition). Administrators should apply the patch or upgrade to a supported service pack. [1]