Security Flaw Found in Symantec Firewall

A vulnerability has been discovered in Symantec firewall products that would let a knowledgeable attacker hijack any connection to Symantec's software-based or appliance-based firewalls, thereby potentially gaining unauthorized access to internal corporate resources.

The discovery was made by security services firm Ubizen July 3, which contacted Symantec about the vulnerability. Both companies agreed to refrain from publicizing the problem until Symantec had prepared a software fix. This remedy has now been made available at Symantec's Web site for eight basic models of its Raptor, Enterprise Firewall, and VelociRaptor firewall products.

The software patch remedies weaknesses in the algorithm used in the firewall to randomly generate initial sequence numbers. The main problem, it appears, is the algorithm wasn't generating new sequence numbers quickly enough to thwart potential hijacking attempts to break in.

Fixing the Flaw

"The algorithm for generating sequence numbers was flawed but has now been fixed," says Kristof Philipsen, network security engineer at Ubizen. The algorithm had only been changing random sequence numbers every 35 minutes, which left a window of time for hackers to try to hijack the session or insert data.

Philipsen says he discovered the problem when running a network penetration test on a customer's Symantec firewall using Ubizen's in-house tool called ISN Probe, which is available as an open-source tool for download over the Web.

The Ubizen engineer acknowledged that the flaw that had existed in Symantec's random-number generator was not necessarily easy for an attacker to exploit. "It would require a lot of skill," Philipsen says.

Potentially though, attackers could hijack encrypted or unencrypted sessions by a user connecting to Symantec firewalls. These include: Raptor Firewall 6.5 based on Windows NT; Raptor Firewall 6.5.3 on Solaris; Symantec Enterprise Firewall 6.5.2 for Windows 2000 and NT; Symantec Enterprise Firewall v7.0 for Solaris, Windows 2000, and NT; the VelociRaptor Model 500/700/1000 and Models 1100/1200/1300; as well as Symantec Gateway Security 5110/5200/5300.

Delayed Delivery

Philipsen says the software patch, which is easy to install, fixes the random-number generator problem.

As to why it took a whole month for Symantec to prepare the software patch to fix the problem, Symantec's product manager Michele Araujo says Symantec was working closely with Ubizen on the algorithm flaw, but the process was slowed down when Ubizen employees close to the issue went on vacation.

"This is much longer than usual for us," concedes Symantec senior director of product management Barry Cioe.

Symantec has made the software fix available on the company's Web site.