The vulnerability lies in the way the software creates and uses random numbers--called TCP Initial Sequence Numbers--for each new connection. In order to speed performance, the system reuses the same number for connections coming from the same source IP address and TCP port for a short time after the initial connection is closed, researchers said. During this period, an attacker could use the IP address and TCP information for an earlier, legitimate connection and create a new, unauthorized connection, a technique called "spoofing".
This connection would appear to be coming from an address other than that of the real source, and could be used to carry out an attack. In addition, researchers said that the way the ISN is generated is not random enough. "A weakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session," said Kristof Philipsen, a security engineer with e-security firm Ubizen Luxembourg, which discovered the flaw.
Philipsen said that the generation of ISNs is based on two factors: the source and destination port number, and the source and destination IP address. The problem has been duplicated on six Raptor firewalls, according to Philipsen.
The systems affected are: · Raptor Firewall 6.5 for Windows NT
· Raptor Firewall V6.5.3 for Solaris
· Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT
· Symantec Enterprise Firewall V7.0 for Solaris
· Symantec Enterprise Firewall 7.0 for Windows 2000 and NT
· VelociRaptor Model 500/700/1000
· VelociRaptor Model 1100/1200/1300
· Symantec Gateway Security 5110/5200/5300
Ubizen and Symantec issued statements warning of the hole on Monday, and Symantec has issued a patch for the problem. Symantec's bulletin and patch are available on its Web site.
