A number of Symantec firewalls, including popular Raptor models, have a security flaw that renders networks protected by the systems vulnerable to intrusion.
The flaw was disclosed to Symantec on July 3 by Ubizen, a security services provider that, ironically, soon after became a Symantec competitor. On July 17, Symantec announced it was acquiring Riptech, another security services provider.
Nonetheless, Ubizen worked with Symantec's Security Response Team to resolve the issue, which centers on how Raptor firewalls generate Initial Sequence Numbers (ISNs), which are used to identify IP sessions.
Ubizen says the Symantec firewalls use an algorithm that generates ISNs that are not sufficiently random, making it possible to predict - within certain parameters - the next number in a sequence. With that information, a hacker can hijack the session and gain access to internal resources.
This type of vulnerability is far from new; Microsoft issued patches for the same vulnerability to its Windows NT 4.0 systems back in 1999. Ubizen found the flaw because it had a homegrown tool made to sample ISNs to ensure they are random enough to thwart an attempted break-in.
Ubizen worked with Symantec to come up with a patch for its firewalls. The patch is available at http://securityresponse.symantec.com.
- Symantec firewalls affected by the flaw are:
- Raptor Firewall 6.5 for Windows NT and 6.5.3 for Solaris
- Symantec Enterprise Firewall 6.5.2 on Windows 2000 and NT; and version 7.0 on Solaris, Windows NT and NT
- VelociRaptor Models 500, 700, 1000, 1100, 1200 and 1300
- Symantec Gateway Security 5110, 5200 and 5300
Reprinted from esecurityplanet.com.