Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Kristof Philipsen (kristof.philipsen_at_ubizen.com)
Date: Fri Aug 02 2002 - 07:10:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    | Ubizen Security Advisory: Raptor Firewall Weak ISN Vulnerability |
    | kristof.philipsenubizen.com Friday August 02, 2002 |


    Raptor Firewall 6.5 (Windows NT)
    Raptor Firewall V6.5.3 (Solaris)
    Symantec Enterprise Firewall 6.5.2 (Windows 2000 and NT)
    Symantec Enterprise Firewall V7.0 (Solaris)
    Symantec Enterprise Firewall 7.0 (Windows 2000 and NT)
    VelociRaptor Model 500/700/1000
    VelociRaptor Model 1100/1200/1300
    Symantec Gateway Security 5110/5200/5300


    Raptor Firewall is Symantec's implementation of a firewalling/proxy
    application. A problem exists within the IP stack implementation of
    Raptor Firewall during the generation of the Initial Sequence
    Numbers ("ISNs"). The algorithm used for generating these ISNs is
    not sufficiently random and could allow a remote attacker to hijack
    any connection to or traversing the Raptor Firewall.


    During the transport and forwarding of packets, Initial Sequence
    Numbers ("ISNs") are generated by the Raptor Firewall's IP stack. A
    weakness in the generation of these ISNs could allow a remote
    attacker to easily predict the sequence numbers for a certain

    The generation of the ISNs is based on two factors: the source and
    destination port, and the source and destination IP. For a single
    connection, there is an initial sequence number which will not
    change for a certain [long] amount of time. An example connection
    ("session") can be described as follows:

     session = {[src ip:src port] [dst ip:dst port]}

    An ISN is attributed to a specific sessions for a certain amount of
    time. Below are some excerpts of real-life tests performed against
    a Raptor Firewall, demonstrating this vulnerability. The following
    tests sends SYN packets from a source address [x.x.x.x] on a
    source-port [1700] to a destination address [z.z.z.z] on a
    destination port [80] over a period of several minutes.

    Timeline Connection ISN Delta
    10:33:05 x.x.x.x:1700 -> z.z.z.z:80 2088144436 -
    10:33:06 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:33:07 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:35:30 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:35:31 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:35:32 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:50:43 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:50:44 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0
    10:50:45 x.x.x.x:1700 -> z.z.z.z:80 2088144436 0

    As shown above, this test clearly shows that the Initial Sequence
    Number does not change for a significant amount of time. Another
    test showed that when an ISN is assigned to a session, this session
    and ISN are stored for future use for a certain amount of time,
    regardless whether or not several new sessions are established from
    the same source IP.

    This issue has been reproduced against 6 Raptor Firewalls, each
    belonging to different administrative bodies.


    * The ISN for each session is different, but for a single session
      the ISN doesn't change for a considerable amount of time.

    * This could possibly allow an attacker to hijack the session.

    * This issue affects all vulnerabilities handled by the Raptor IP
      stack, including all sessions to and traversing the Raptor


    This vulnerability can allow a remote attacker to potentially
    hijack an existing connection to or traversing the Raptor Firewall.

    Classification: medium to high


    Symantec's Security Response Team (symsecuritysymantec.com) was
    contacted about this issue on Wednesday, July 03 2002. A
    coordinated effort between Symantec and Ubizen has lead to quick
    resolution of this issue. HotFixes are available to eradicate
    this vulnerability.


    Symantec has released HotFixes to resolve this issue. They can
    be found at the following locations:

    Technical Bulletin:

    Patches and HotFixes:

    Kristof Philipsen                   Security Engineer
    Ubizen Luxembourg                   http://www.ubizen.com
    Tel: +352 26 31 05 85               Fax: +352 26 31 05 86