Is the ProxySG or Advanced Secure Gateway vulnerable to CVE-2004-0230?


Article ID: 166639


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


You want to know if the ProxySG or Advanced Secure Gateway (ASG) appliances are vulnerable to CVE-2004-0230, "TCP Sequence Number Approximation Based Denial of Service".


The ProxySG appliance is hardened against this sort of attack. The appliance compares the incoming sequence number to the last ACK we sent and the next sequence number we expect to receive.  If it is not equal to or is within 1 in either direction, we drop the packet.  Thus, if the attacker is not snooping on the network, they would need to do the following:

  1. Guess the connection 4-tuple
  2. Guess an acceptable sequence number -- a 3 in 4 billion chance
The impact would be that the connection would be dropped if the attacker were able to figure out the correct 4-tuple and sequence number.