Use of Insufficiently Random Values

CVE-2020-35685

High

9.1/10

Summary

An issue was discovered in HCC Nichestack 3.0. The code that generates Initial Sequence Numbers (ISNs) for TCP connections derives the ISN from an insufficiently random source. As a result, an attacker may be able to determine the ISN of current and future TCP connections and either hijack existing ones or spoof future ones. (Proper ISN generation should aim to follow at least the specifications outlined in RFC 6528.)

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

References

Advisory Timeline

Published Aug 19, 2021

Use of Insufficiently Random Values

CVE-2020-35685

Summary

CWE-330 - Use of Insufficiently Random Values

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS