[7847] in bugtraq
Borderware predictable initial TCP sequence numbers
daemon@ATHENA.MIT.EDU (Roy Hills)
Tue Sep 1 16:58:17 1998
Date: Tue, 1 Sep 1998 09:55:24 +0100
Reply-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
From: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
To: BUGTRAQ@NETSPACE.ORG
While performing an Internet security scan (aka penetration test) for a UK
corporate customer, I've discovered that version 5 of Borderware Firewall
generates predictable initial TCP sequence numbers in response to incoming
SYNs. The observed pattern is the familiar "64k increments" often seen
on older Unix kernels. This allows TCP connections to be established
with a spoofed source address.
I've only seen this behaviour on Borderware 5, but I suspect that this
is a generic Kernel issue that would affect previous versions as well.
Would anyone with earlier versions care to check to see if they are
vulnerable? (If you want a test program, drop me an Email and I'll
send you the C source of the tool I use).
After being informed of this issue, Borderware Technologies, Inc. have
reproduced the problem and plan to address it in the next release.
As long as Borderware doesn't use source IP address for authentication, then
this is probably not a serious issue. However, I guess that it would be
possible
to send "perfectly spoofed" Email - complete with fake connecting IP
address using
a spoofed SMTP session...
It's surprised that such a well-known issue on a Firewall with significant
market-share has not been discovered before. Does this mean that ICSA
certification and field-testing failed to pick this up, or just failed to
report it?
Roy Hills
NTA Monitor Ltd
--
Roy Hills Tel: 01634 721855
NTA Monitor Ltd FAX: 01634 721844
6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
