Vulnerability

    Borderware Firewall predictable initial TCP sequence numbers

Affected

    Systems running Borderware Firewalls v4 and v5

Description

    Roy Hills  found following  while performing  an Internet security
    scan (aka  penetration test).   He discovered  that version  5  of
    Borderware  Firewall  generates  predictable  initial TCP sequence
    numbers in response to incoming SYNs.  The observed pattern is the
    familiar "64k increments" often seen on older Unix kernels.   This
    allows TCP  connections to  be established  with a  spoofed source
    address.

    This  has  been  seen  on  Borderware  5, but one may suspect that
    this is a generic Kernel issue that would affect previous versions
    as well.    Tests indicate that  both version 4  and version 5  of
    Borderware are vulnerable to this issue.

Solution

    After being informed of this issue, Borderware Technologies,  Inc.
    have reproduced  the problem  and plan  to address  it in the next
    release.  As long as Borderware doesn't use source IP address  for
    authentication,  then  this  is  probably  not  a  serious  issue.
    However, it would be possible to send "perfectly spoofed" Email  -
    complete  with  fake  connecting  IP  address using a spoofed SMTP
    session...