Borderware predictable initial TCP sequence numbers

[Roy.Hills () NTA-MONITOR COM (Roy Hills)]

While performing an Internet security scan (aka penetration test) for a UK
corporate customer, I've discovered that version 5 of Borderware Firewall
generates predictable initial TCP sequence numbers in response to incoming
SYNs.  The observed pattern is the familiar "64k increments" often seen
on older Unix kernels.  This allows TCP connections to be established
with a spoofed source address.

I've only seen this behaviour on Borderware 5, but I suspect that this
is a generic Kernel issue that would affect previous versions as well.
Would anyone with earlier versions care to check to see if they are
vulnerable?  (If you want a test program, drop me an Email and I'll
send you the C source of the tool I use).

After being informed of this issue, Borderware Technologies, Inc. have
reproduced the problem and plan to address it in the next release.

As long as Borderware doesn't use source IP address for authentication, then
this is probably not a serious issue.  However, I guess that it would be
possible
to send "perfectly spoofed" Email - complete with fake connecting IP
address using
a spoofed SMTP session...

It's surprised that such a well-known issue on a Firewall with significant
market-share has not been discovered before.  Does this mean that ICSA
certification and field-testing failed to pick this up, or just failed to
report it?

Roy Hills
NTA Monitor Ltd

--
Roy Hills                                    Tel:   01634 721855
NTA Monitor Ltd                              FAX:   01634 721844
6 Beaufort Court, Medway City Estate,        Email: Roy.Hills () nta-monitor com
Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/