A vulnerability in numerous versions of Symantec Corp.s Raptor firewall enables an attacker to hijack any session going through the firewall.
The problem lies in the algorithm the firewalls use for generating initial sequence numbers (ISN) at the beginning of each session. The ISNs, used as identifiers between client machines and host machines in TCP sessions, are supposed to be random to prevent session hijacking.
However, the algorithm used by the Raptor products generates numbers that arent sufficiently random and are therefore easily guessable, according to an advisory published Monday by Ubizen NV, a Belgian security service provider with U.S. headquarters in Reston, Va.
The effects of a successful attack can vary widely and depend upon the attackers position in relation to the client and host machines, said Kristof Philipsen, network security engineer at Ubizen in Luxembourg. If the attacker is not directly involved in the connection, the worst he can do is send spoofed traffic to the host.
He wont get any response from the host, however, as that would flow to the original client. But, if the attacker is connected to a hub on the same network as the client machine, for example, he could execute a “man-in-the-middle” attack. This would enable him to not only log all of the traffic between the machines but also manipulate it and insert any packets he chose.
“This wasnt very difficult to find, but you need to be looking for it,” Philipsen said of the Raptor flaw. “Its not something you normally look for in a penetration test.”
The vulnerable products include Raptor Firewall 6.5, Raptor Firewall 6.5.3, Enterprise Firewall 6.5.2, Enterprise Firewall V7.0, Enterprise Firewall 7.0, VelociRaptor Model 500/700/1000, VelociRaptor Model 1100/1200/1300 and Gateway Security 5110/5200/5300.
Symantec, based in Cupertino, Calif., issued a fix for the flaws, available here.
- Symantec Takes Laissez-Faire Tack
- Symantec Goes on Shopping Spree
- Symantec Debuts New Software Licensing Structure