Use of Insufficiently Random Values

CVE-2020-35685

Medium

6.4/10

Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

Access Complexity: LOW
AccessVector: NETWORK
Authentication: NONE
Integrity Impact: PARTIAL
Confidentiality Impact: PARTIAL
Availability Impact: NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References

Advisory Timeline

Published Aug 19, 2021

Use of Insufficiently Random Values

CVE-2020-35685

Summary

CWE-330 - Use of Insufficiently Random Values

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS