Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3322
HistoryAug 03, 2002 - 12:00 a.m.

Security Advisory: Raptor Firewall Weak ISN Vulnerability

2002-08-0300:00:00
vulners.com
17
JSON

+==================================================================+
| Ubizen Security Advisory: Raptor Firewall Weak ISN Vulnerability |
+==================================================================+
| [email protected] Friday August 02, 2002 |
+==================================================================+

AFFECTED SYSTEMS

Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

BRIEF DESCRIPTION

Raptor Firewall is Symantec's implementation of a firewalling/proxy
application. A problem exists within the IP stack implementation of
Raptor Firewall during the generation of the Initial Sequence
Numbers ("ISNs"). The algorithm used for generating these ISNs is
not sufficiently random and could allow a remote attacker to hijack
any connection to or traversing the Raptor Firewall.

DETAILED DESCRIPTION

During the transport and forwarding of packets, Initial Sequence
Numbers ("ISNs") are generated by the Raptor Firewall's IP stack. A
weakness in the generation of these ISNs could allow a remote
attacker to easily predict the sequence numbers for a certain
session.

The generation of the ISNs is based on two factors: the source and
destination port, and the source and destination IP. For a single
connection, there is an initial sequence number which will not
change for a certain [long] amount of time. An example connection
("session") can be described as follows:

session = {[src ip:src port] [dst ip:dst port]}

An ISN is attributed to a specific sessions for a certain amount of
time. Below are some excerpts of real-life tests performed against
a Raptor Firewall, demonstrating this vulnerability. The following
tests sends SYN packets from a source address [x.x.x.x] on a
source-port [1700] to a destination address [z.z.z.z] on a
destination port [80] over a period of several minutes.

Timeline Connection ISN Delta

10:33:05 x.x.x.x:1700 -> z.z.z.z:80 2088144436 -
10:33:06 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
10:33:07 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0

10:35:30 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
10:35:31 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
10:35:32 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0

10:50:43 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
10:50:44 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
10:50:45 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0

As shown above, this test clearly shows that the Initial Sequence
Number does not change for a significant amount of time. Another
test showed that when an ISN is assigned to a session, this session
and ISN are stored for future use for a certain amount of time,
regardless whether or not several new sessions are established from
the same source IP.

This issue has been reproduced against 6 Raptor Firewalls, each
belonging to different administrative bodies.

CHARACTERISTICS

  • The ISN for each session is different, but for a single session
    the ISN doesn't change for a considerable amount of time.

  • This could possibly allow an attacker to hijack the session.

  • This issue affects all vulnerabilities handled by the Raptor IP
    stack, including all sessions to and traversing the Raptor
    Firewall.

SEVERITY

This vulnerability can allow a remote attacker to potentially
hijack an existing connection to or traversing the Raptor Firewall.

Classification: medium to high

VENDOR STATUS

Symantec's Security Response Team ([email protected]) was
contacted about this issue on Wednesday, July 03 2002. A
coordinated effort between Symantec and Ubizen has lead to quick
resolution of this issue. HotFixes are available to eradicate
this vulnerability.

SOLUTION

Symantec has released HotFixes to resolve this issue. They can
be found at the following locations:

Technical Bulletin:

http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html

Patches and HotFixes:
http://www.symantec.com/techsupp/

Kristof Philipsen Security Engineer
Ubizen Luxembourg http://www.ubizen.com
Tel: +352 26 31 05 85 Fax: +352 26 31 05 86

JSON