Flaw discovered in Symantec firewall

Researchers have discovered a flaw in Symantec's Raptor firewall that could allow attackers to hijack legitimate communications with a protected system.

The vulnerability lies in the way the software creates and uses random numbers -- called TCP Initial Sequence Numbers -- for each new connection. In order to speed performance, the system reuses the same number for connections coming from the same source IP address and TCP port for a short time after the initial connection is closed, researchers said. During this period, an attacker could use the IP address and TCP information for an earlier, legitimate connection and create a new, unauthorised connection, a technique called "spoofing".

This connection would appear to be coming from an address other than that of the real source, and could be used to carry out an attack.

In addition, researchers said that the way the ISN is generated is not random enough. "A weakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session," said Kristof Philipsen, a security engineer with e-security firm Ubizen Luxembourg, which discovered the flaw.

Philipsen said that the generation of ISNs is based on two factors: the source and destination port number, and the source and destination IP address. The problem has been duplicated on six Raptor firewalls, according to Philipsen.

The systems affected are:

Ubizen and Symantec issued statements warning of the hole on Monday, and Symantec has issued a patch for the problem. Symantec's bulletin and patch are available on its Web site.

Have your say instantly, and see what others have said. Go to the Security forum.

Let the editors know what you think in the Mailroom.