Bugtraq mailing list archives
Borderware predictable initial TCP sequence numbers
From: Roy.Hills () NTA-MONITOR COM (Roy Hills)
Date: Tue, 1 Sep 1998 09:55:24 +0100
While performing an Internet security scan (aka penetration test) for a UK corporate customer, I've discovered that version 5 of Borderware Firewall generates predictable initial TCP sequence numbers in response to incoming SYNs. The observed pattern is the familiar "64k increments" often seen on older Unix kernels. This allows TCP connections to be established with a spoofed source address. I've only seen this behaviour on Borderware 5, but I suspect that this is a generic Kernel issue that would affect previous versions as well. Would anyone with earlier versions care to check to see if they are vulnerable? (If you want a test program, drop me an Email and I'll send you the C source of the tool I use). After being informed of this issue, Borderware Technologies, Inc. have reproduced the problem and plan to address it in the next release. As long as Borderware doesn't use source IP address for authentication, then this is probably not a serious issue. However, I guess that it would be possible to send "perfectly spoofed" Email - complete with fake connecting IP address using a spoofed SMTP session... It's surprised that such a well-known issue on a Firewall with significant market-share has not been discovered before. Does this mean that ICSA certification and field-testing failed to pick this up, or just failed to report it? Roy Hills NTA Monitor Ltd -- Roy Hills Tel: 01634 721855 NTA Monitor Ltd FAX: 01634 721844 6 Beaufort Court, Medway City Estate, Email: Roy.Hills () nta-monitor com Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
Current thread:
- Borderware predictable initial TCP sequence numbers Roy Hills (Sep 01)
- Re: Borderware predictable initial TCP sequence numbers Gigi Sullivan (Sep 02)
- Re: Borderware predictable initial TCP sequence numbers Kevin Steves (Sep 02)
- Re: Borderware predictable initial TCP sequence numbers Gigi Sullivan (Sep 02)