SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Firewall)  >   Symantec Enterprise Firewall (Raptor) Vendors:   Symantec
Symantec Enterprise Firewall (Raptor Firewall) Uses Weak TCP Sequence Numbers That May Allow Remote Users to Hijack Sessions
SecurityTracker Alert ID:  1004935
SecurityTracker URL:  http://securitytracker.com/id/1004935
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 2 2002
Impact:   Host/resource access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.5, 6.5.2, 6.5.3, 7.0
Description:   A vulnerability was reported in the Symantec Enterprise Firewall (Raptor Firewall). The firewall uses weak TCP initial sequence numbers (ISNs) that are not sufficiently random and could allow a remote user to hijack connections.

Ubizen issued a security advisory warning that the ISNs generated by the Raptor firewall could allow a remote user to predict the sequence numbers for a given TCP session. According to the report, an ISN is generated based on the source and destination port and the source and destination IP address. For a single connection, the ISN will apparently stay constant for a 'long' period of time. This affects all connections to the firewall as well as connections that traverse the firewall.

A remote user could potentially hijack an existing connection to the firewall or one that traverses the firewall.

The following systems and versions are reported to be vulnerable:

Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300

Impact:   A remote user could potentially hijack sessions that traverse the firewall or sessions that connect to the firewall.
Solution:   The vendor has issued a fix, available at:

http://www.symantec.com/techsupp/

Vendor URL:  www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html (Links to External Site)
Cause:   Randomization error
Underlying OS:  UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Security Advisory: Raptor Firewall Weak ISN Vulnerability


+==================================================================+
| Ubizen Security Advisory: Raptor Firewall Weak ISN Vulnerability |
+==================================================================+
| kristof.philipsen@ubizen.com		    Friday August 02, 2002 |
+==================================================================+


AFFECTED SYSTEMS

Raptor Firewall 6.5 (Windows NT)
Raptor Firewall V6.5.3 (Solaris)
Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
Symantec Enterprise Firewall V7.0 (Solaris)
Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
VelociRaptor Model 500/700/1000
VelociRaptor Model 1100/1200/1300
Symantec Gateway Security 5110/5200/5300 


BRIEF DESCRIPTION

Raptor Firewall is Symantec's implementation of a firewalling/proxy
application. A problem exists within the IP stack implementation of
Raptor Firewall during  the  generation  of  the  Initial  Sequence 
Numbers ("ISNs").   The algorithm used for generating these ISNs is
not sufficiently random and could allow a remote attacker to hijack
any connection to or traversing the Raptor Firewall. 


DETAILED DESCRIPTION

During the transport and forwarding of packets,    Initial Sequence
Numbers ("ISNs") are generated by the Raptor Firewall's IP stack. A
weakness in the generation of  these  ISNs  could  allow  a  remote 
attacker to easily  predict  the  sequence  numbers  for a  certain 
session.

The generation of the ISNs is based on two factors:  the source and 
destination port, and the source and destination IP.   For a single
connection,      there is an initial sequence number which will not 
change for a certain [long] amount of time.   An example connection
("session") can be described as follows:

 session = {[src ip:src port] [dst ip:dst port]}

An ISN is attributed to a specific sessions for a certain amount of
time.  Below are some excerpts of real-life tests performed against
a Raptor Firewall, demonstrating this vulnerability.  The following
tests  sends  SYN packets  from  a source address  [x.x.x.x]  on  a 
source-port  [1700]  to   a   destination  address  [z.z.z.z] on  a 
destination port [80] over a period of several minutes. 


-------------------------------------------------------------------
Timeline      Connection                      ISN             Delta 
-------------------------------------------------------------------
10:33:05      x.x.x.x:1700 -> z.z.z.z:80      2088144436      -
10:33:06      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
10:33:07      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
...
10:35:30      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
10:35:31      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
10:35:32      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
...
10:50:43      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
10:50:44      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0
10:50:45      x.x.x.x:1700 -> z.z.z.z:80      2088144436      0


As shown above,   this test clearly shows that the Initial Sequence
Number does not change for a significant amount of time.    Another
test showed that when an ISN is assigned to a session, this session
and ISN are stored for future use for a  certain  amount  of  time, 
regardless whether or not several new sessions are established from
the same source IP.

This issue has been reproduced against  6  Raptor  Firewalls,  each
belonging to different administrative bodies. 


CHARACTERISTICS

* The ISN for each session is different,   but for a single session 
  the ISN doesn't change for a considerable amount of time.

* This  could  possibly  allow  an attacker to  hijack the session.

* This issue affects all vulnerabilities handled  by the  Raptor IP
  stack, including  all  sessions  to  and  traversing  the  Raptor
  Firewall.


SEVERITY

This vulnerability can  allow  a  remote  attacker  to  potentially 
hijack an existing connection to or traversing the Raptor Firewall.

Classification: medium to high


VENDOR STATUS

Symantec's Security Response Team (symsecurity@symantec.com) was 
contacted  about  this  issue  on  Wednesday,  July  03  2002. A 
coordinated effort between Symantec and Ubizen has lead to quick
resolution of this issue.    HotFixes are available to eradicate 
this vulnerability.


SOLUTION

Symantec has released HotFixes to resolve this issue.   They can
be found at the following locations:

Technical Bulletin:
   http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html

Patches and HotFixes: 
   http://www.symantec.com/techsupp/


-- 
---------------------------------------------------------------------
Kristof Philipsen                   Security Engineer
Ubizen Luxembourg                   http://www.ubizen.com
Tel: +352 26 31 05 85               Fax: +352 26 31 05 86
--------------------------------------------------------------------- 


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC