CVE-2000-0916

FreeBSD <= 4.1.1 - TCP Sequence Number Spoofing via Insufficient Randomness

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0916.

AI-analyzed exploit summary The vulnerability in the Linux kernel's 'secure_tcp_sequence_number' function in 'drivers/char/random.c' allows remote users to predict TCP initial sequence numbers (ISN) due to weak MD4-based generation. This can facilitate TCP session spoofing and bypass IP-based access controls.

Description

FreeBSD 4.1.1 and earlier, and possibly other BSD-based OSes, uses an insufficient random number generator to generate initial TCP sequence numbers (ISN), which allows remote attackers to spoof TCP connections.

Exploits (1)

exploitdb WRITEUP

remotelinux

https://www.exploit-db.com/exploits/19522

View Code ZIP pw:eip

The vulnerability in the Linux kernel's 'secure_tcp_sequence_number' function in 'drivers/char/random.c' allows remote users to predict TCP initial sequence numbers (ISN) due to weak MD4-based generation. This can facilitate TCP session spoofing and bypass IP-based access controls.

Classification

Writeup 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Theoretical

Target: Linux kernel (versions affected in 2000)

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1590 - Gather Victim Network Information

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory vendor-advisory x_refsource_freebsd

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:52.tcp-iss.asc

Patch, Vendor Advisory vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/1766

Scores

EPSS 0.0555

EPSS Percentile 91.8%

Details

Status published

Products (5)

freebsd/freebsd 2.0

freebsd/freebsd 3.0

freebsd/freebsd 4.0

freebsd/freebsd 4.1

freebsd/freebsd 4.1.1

Published Dec 19, 2000

Tracked Since Feb 18, 2026