NetScreen Firewalls Can Be Made Unresponsive By a Remote User on the Trusted Interface Side Conducting Port Scans Through the Firewall
SecurityTracker Alert ID: 1003421|
SecurityTracker URL: http://securitytracker.com/id/1003421
(Links to External Site)
Date: Feb 1 2002
Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 3.1; tested on NetScreen 5|
A denial of service vulnerability was reported in NetScreen firewalls (Screen OS). A remote user on the trusted interface can cause the interface to hang.|
It is reported that a remote user on the trusted (internal) interface can conduct a port scan on an external IP address to consume available sessions on the firewall. This can reportedly cause the entire trusted interface to become unresponsive.
A remote user on the internal (trusted) interface can cause the interface to become unresponsive.|
It is reported that NetScreen has issued a fix (version 3.1). An update to ScreenOS 3.1 is apparently available for the NetScreen 200 or 500 models and reportedly will be available for all other models on April 1, 2002.|
Vendor URL: www.netscreen.com/ (Links to External Site)
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: 1 Feb 2002 15:06:49 -0000|
Subject: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS
Problem: NetScreen ScreenOS 2.6.1 subject to Trust
Interface DoS Attack
Company Info: NetScreen Technologies are the
manufacturers of some of the industry's highest
quality VPN and firewall equipment. For more
information please see http://www.netscreen.com.
What's affected: The ScreenOS is the heart of the
NetScreen products. This allows for the firewall
configuration/management. Apparently all versions
before ScreenOS 3.1 are affected. This vulnerability
can only occur from within the "trusted" network, or
from a machine connected to the "trust" interface.
External attempts will not cause any problems/DoS.
Exploit: Someone within the trusted side of the
network can attempt a portscan on an external IP
address. When the scan runs it appears to consume
all of the available sessions. This, in turn, causes a
DoS to the entire trusted interface. The only way I got
my device to recover quickly was to perform a reset.
A recovery might be possible without a reset, but
after about 5 minutes of waiting, mine never
recovered. This exploit may or may not work on your
device. My testing was performed on a NetScreen 5.
The higher-end, more pricier models may take longer
to "eat up" all the available sessions, thus taking
longer for a DoS to occur.
I have contacted NetScreen in regards to the issue. I
received a response back that the problem is a
known issue. It has been addressed in ScreenOS
3.1. An update to ScreenOS 3.1 is available for
anyone with a NetScreen 200 or 500. For all other
models, the update to ScreenOS 3.1 will be available
on April 1, 2002.
I'd love to hear if anyone else has noticed this, or if
other models are affected by this issue.