[ISN] Flaw discovered in Symantec firewall

From: InfoSec News (isnat_private)
Date: Thu Aug 08 2002 - 01:21:29 PDT

  • Next message: InfoSec News: "[ISN] Two laptop computers missing from U.S. Central Command; one had classified information"

    http://www.nwfusion.com/news/2002/0805sym.html
    
    By Ellen Messmer
    Network World Fusion, 08/05/02 
    
    A vulnerability has been discovered in Symantec firewall products that
    would let a knowledgeable attacker hijack any connection to Symantec's
    software-based or appliance-based firewalls, thereby potentially
    gaining unauthorized access to internal corporate resources.
    
    The discovery was made by security services firm Ubizen July 3, which
    contacted Symantec about the vulnerability. Both companies agreed to
    refrain from publicizing the problem until Symantec had prepared a
    software fix. This remedy has now been made available at Symantec's
    Web site for eight basic models of its Raptor, Enterprise Firewall and
    VelociRaptor firewall products.
    
    The software patch remedies weaknesses in the algorithm used in the
    firewall to randomly generate initial sequence numbers. The main
    problem, it appears, is the algorithm wasn't generating new sequence
    numbers quickly enough to thwart potential hijacking attempts to break
    in.
    
    "The algorithm for generating sequence numbers was flawed but has now
    been fixed," said Kristof Philipsen, network security engineer at
    Ubizen. The algorithm had only been changing random sequence numbers
    every 35 minutes, which left a window of time for hackers to try to
    hijack the session or insert data.
    
    Philipsen said he discovered the problem when running a network
    penetration test on a customer's Symantec firewall using Ubizen's
    in-house tool called ISN Probe, which is available as an open-source
    tool for download over the Web.
    
    The Ubizen engineer acknowledged that the flaw that had existed in
    Symantec's random-number generator was not necessarily easy for an
    attacker to exploit. "It would require a lot of skill," Philipsen
    said.
    
    Potentially though, attackers could hijack encrypted or unencrypted
    sessions by a user connecting to Symantec firewalls. These include:  
    Raptor Firewall 6.5 based on Windows NT, Raptor Firewall 6.5.3 on
    Solaris, Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT,
    Symantec Enterprise Firewall v7.0 for Solaris, Windows 2000 and NT,
    the VelociRaptor Model 500/700/1000 and Models 1100/1200/1300 as well
    as Symantec Gateway Security 5110/5200/5300.
    
    Philipsen said the software patch, which is easy to install, fixes the
    random-number generator problem.
    
    As to why it took a whole month for Symantec to prepare the software
    patch to fix the problem, Symantec's product manager Michele Araujo
    said Symantec was working closely with Ubizen on the algorithm flaw,
    but the process was slowed down when Ubizen employees close to the
    issue went on vacation.
    
    "This is much longer than usual for us," conceded Symantec senior
    director of product management Barry Cioe.
    
    Symantec has made the software fix available here [1].
    
    [1] http://securityresponse.symantec.com/
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 08 2002 - 03:46:23 PDT