Flaw discovered in Symantec firewall

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2002/0805sym.html

By Ellen Messmer
Network World Fusion, 08/05/02 

A vulnerability has been discovered in Symantec firewall products that
would let a knowledgeable attacker hijack any connection to Symantec's
software-based or appliance-based firewalls, thereby potentially
gaining unauthorized access to internal corporate resources.

The discovery was made by security services firm Ubizen July 3, which
contacted Symantec about the vulnerability. Both companies agreed to
refrain from publicizing the problem until Symantec had prepared a
software fix. This remedy has now been made available at Symantec's
Web site for eight basic models of its Raptor, Enterprise Firewall and
VelociRaptor firewall products.

The software patch remedies weaknesses in the algorithm used in the
firewall to randomly generate initial sequence numbers. The main
problem, it appears, is the algorithm wasn't generating new sequence
numbers quickly enough to thwart potential hijacking attempts to break
in.

"The algorithm for generating sequence numbers was flawed but has now
been fixed," said Kristof Philipsen, network security engineer at
Ubizen. The algorithm had only been changing random sequence numbers
every 35 minutes, which left a window of time for hackers to try to
hijack the session or insert data.

Philipsen said he discovered the problem when running a network
penetration test on a customer's Symantec firewall using Ubizen's
in-house tool called ISN Probe, which is available as an open-source
tool for download over the Web.

The Ubizen engineer acknowledged that the flaw that had existed in
Symantec's random-number generator was not necessarily easy for an
attacker to exploit. "It would require a lot of skill," Philipsen
said.

Potentially though, attackers could hijack encrypted or unencrypted
sessions by a user connecting to Symantec firewalls. These include:  
Raptor Firewall 6.5 based on Windows NT, Raptor Firewall 6.5.3 on
Solaris, Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT,
Symantec Enterprise Firewall v7.0 for Solaris, Windows 2000 and NT,
the VelociRaptor Model 500/700/1000 and Models 1100/1200/1300 as well
as Symantec Gateway Security 5110/5200/5300.

Philipsen said the software patch, which is easy to install, fixes the
random-number generator problem.

As to why it took a whole month for Symantec to prepare the software
patch to fix the problem, Symantec's product manager Michele Araujo
said Symantec was working closely with Ubizen on the algorithm flaw,
but the process was slowed down when Ubizen employees close to the
issue went on vacation.

"This is much longer than usual for us," conceded Symantec senior
director of product management Barry Cioe.

Symantec has made the software fix available here [1].

[1] http://securityresponse.symantec.com/



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.