Rafi Sadowsky writes:
No eavesdropping at all ? how can a TCP connection be hijacked if you're
not on the connection path?
(Or capable of diverting the connection past you -
breaking routers/source_routing/<whatever>.... )
The attacker merely has to get his data into the TCP stream on the
victim host. No return traffic necessary. This means the attacker can
be _outside_ the victim's network if source address forgery isn't
prevented. This is _not_ new; same attack Mitnick used on Shimomura.
If you're on the path, you certainly don't need to guess the TCP ISN to
hijack a connection. This isn't new, either. 
By the way, Cisco stuff that has the fix we advertised in the security
advisory a couple of weeks ago is *NOT* vulnerable to the attack
announced by Guardent. The older stuff in IOS is not vulnerable either,
but some of our other products _are_ vulnerable. Of course, we already
announced that at Networking, Cloud, and Cybersecurity Solutions - Cisco .
I'll be along with a more official announcement, but I figured I'd
mention it here, too.
Jim