Bugtraq mailing list archives
Security Advisory: Raptor Firewall Weak ISN Vulnerability
From: Kristof Philipsen <kristof.philipsen () ubizen com>
Date: Fri, 02 Aug 2002 14:10:30 +0200
+==================================================================+ | Ubizen Security Advisory: Raptor Firewall Weak ISN Vulnerability | +==================================================================+ | kristof.philipsen () ubizen com Friday August 02, 2002 | +==================================================================+ AFFECTED SYSTEMS Raptor Firewall 6.5 (Windows NT) Raptor Firewall V6.5.3 (Solaris) Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT) Symantec Enterprise Firewall V7.0 (Solaris) Symantec Enterprise Firewall 7.0 (Windows 2000 and NT) VelociRaptor Model 500/700/1000 VelociRaptor Model 1100/1200/1300Symantec Gateway Security 5110/5200/5300
BRIEF DESCRIPTION Raptor Firewall is Symantec's implementation of a firewalling/proxy application. A problem exists within the IP stack implementation ofRaptor Firewall during the generation of the Initial Sequence Numbers ("ISNs"). The algorithm used for generating these ISNs is
not sufficiently random and could allow a remote attacker to hijackany connection to or traversing the Raptor Firewall.
DETAILED DESCRIPTION During the transport and forwarding of packets, Initial Sequence Numbers ("ISNs") are generated by the Raptor Firewall's IP stack. Aweakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session.
The generation of the ISNs is based on two factors: the source and destination port, and the source and destination IP. For a single connection, there is an initial sequence number which will not change for a certain [long] amount of time. An example connection
("session") can be described as follows: session = {[src ip:src port] [dst ip:dst port]} An ISN is attributed to a specific sessions for a certain amount of time. Below are some excerpts of real-life tests performed against a Raptor Firewall, demonstrating this vulnerability. The followingtests sends SYN packets from a source address [x.x.x.x] on a source-port [1700] to a destination address [z.z.z.z] on a destination port [80] over a period of several minutes.
-------------------------------------------------------------------Timeline Connection ISN Delta -------------------------------------------------------------------
10:33:05 x.x.x.x:1700 -> z.z.z.z:80 2088144436 - 10:33:06 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 10:33:07 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 ... 10:35:30 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 10:35:31 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 10:35:32 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 ... 10:50:43 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 10:50:44 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 10:50:45 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0 As shown above, this test clearly shows that the Initial Sequence Number does not change for a significant amount of time. Another test showed that when an ISN is assigned to a session, this sessionand ISN are stored for future use for a certain amount of time, regardless whether or not several new sessions are established from
the same source IP. This issue has been reproduced against 6 Raptor Firewalls, eachbelonging to different administrative bodies.
CHARACTERISTICS* The ISN for each session is different, but for a single session the ISN doesn't change for a considerable amount of time.
* This could possibly allow an attacker to hijack the session. * This issue affects all vulnerabilities handled by the Raptor IP stack, including all sessions to and traversing the Raptor Firewall. SEVERITYThis vulnerability can allow a remote attacker to potentially hijack an existing connection to or traversing the Raptor Firewall.
Classification: medium to high VENDOR STATUSSymantec's Security Response Team (symsecurity () symantec com) was contacted about this issue on Wednesday, July 03 2002. A coordinated effort between Symantec and Ubizen has lead to quick resolution of this issue. HotFixes are available to eradicate this vulnerability.
SOLUTION Symantec has released HotFixes to resolve this issue. They can be found at the following locations: Technical Bulletin: http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.htmlPatches and HotFixes: http://www.symantec.com/techsupp/
-- --------------------------------------------------------------------- Kristof Philipsen Security Engineer Ubizen Luxembourg http://www.ubizen.com Tel: +352 26 31 05 85 Fax: +352 26 31 05 86---------------------------------------------------------------------
Current thread:
- Security Advisory: Raptor Firewall Weak ISN Vulnerability Kristof Philipsen (Aug 02)