Researchers have discovered a flaw in Symantec's Raptor firewall that could allow attackers to hijack legitimate communications with a protected system.
The vulnerability lies in the way the software creates and uses random numbers -- called TCP Initial Sequence Numbers -- for each new connection. In order to speed performance, the system reuses the same number for connections coming from the same source IP address and TCP port for a short time after the initial connection is closed, researchers said. During this period, an attacker could use the IP address and TCP information for an earlier, legitimate connection and create a new, unauthorised connection, a technique called "spoofing".
This connection would appear to be coming from an address other than that of the real source, and could be used to carry out an attack.
In addition, researchers said that the way the ISN is generated is not random enough. "A weakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session," said Kristof Philipsen, a security engineer with e-security firm Ubizen Luxembourg, which discovered the flaw.
Philipsen said that the generation of ISNs is based on two factors: the source and destination port number, and the source and destination IP address. The problem has been duplicated on six Raptor firewalls, according to Philipsen.
The systems affected are: