Flaw discovered in Symantec firewall

A weakness in the way new connections are handled could allow an attacker to hijack any session, according to researchers

Researchers have discovered a flaw in Symantec's Raptor firewall that could allow attackers to hijack legitimate communications with a protected system.

The vulnerability lies in the way the software creates and uses random numbers -- called TCP Initial Sequence Numbers -- for each new connection. In order to speed performance, the system reuses the same number for connections coming from the same source IP address and TCP port for a short time after the initial connection is closed, researchers said. During this period, an attacker could use the IP address and TCP information for an earlier, legitimate connection and create a new, unauthorised connection, a technique called "spoofing".

This connection would appear to be coming from an address other than that of the real source, and could be used to carry out an attack.

In addition, researchers said that the way the ISN is generated is not random enough. "A weakness in the generation of these ISNs could allow a remote attacker to easily predict the sequence numbers for a certain session," said Kristof Philipsen, a security engineer with e-security firm Ubizen Luxembourg, which discovered the flaw.

Philipsen said that the generation of ISNs is based on two factors: the source and destination port number, and the source and destination IP address. The problem has been duplicated on six Raptor firewalls, according to Philipsen.

The systems affected are:

  • Raptor Firewall 6.5 for Windows NT
  • Raptor Firewall V6.5.3 for Solaris
  • Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT
  • Symantec Enterprise Firewall V7.0 for Solaris
  • Symantec Enterprise Firewall 7.0 for Windows 2000 and NT
  • VelociRaptor Model 500/700/1000
  • VelociRaptor Model 1100/1200/1300
  • Symantec Gateway Security 5110/5200/5300
  • Ubizen and Symantec issued statements warning of the hole on Monday, and Symantec has issued a patch for the problem. Symantec's bulletin and patch are available on its Web site.

    For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.

    Have your say instantly, and see what others have said. Go to the Security forum.

    Let the editors know what you think in the Mailroom.