Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Firewall)  >   Juniper ScreenOS Vendors:   NetScreen
NetScreen Firewalls Allow Unauthorized Packets Through the Firewall to the DMZ
SecurityTracker Alert ID:  1001168
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 27 2001
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): ScreenOS release 1.64, 1.66, 2.01, and 2.5
Description:   Netscreen announced a vulnerability in its NetScreen-10 and NetScreen-100 systems that, under certain circumstances, allows unauthorized packets to reach the "DMZ" network.

Netscreen issued an advisory regarding a vulnerability (bug ID 8166) in all current versions of ScreenOS software (ScreenOS release 1.64, 1.66, 2.01, and 2.5) for NetScreen-10 and NetScreen-100 systems.

Under certain circumstances, traffic that is otherwise configured to be blocked by the security policy configuration is able to reach the "DMZ" network. The vendor notes that traffic cannot reach the trusted network.

It is reported that The vulnerability only exists after specific traffic patterns have been present for some time. Some packets (but not all packets) are then allowed to pass to the DMZ network.

Impact:   Some unauthorized packets may be allowed to pass through to the DMZ network interface.
Solution:   The vendor has released a fix.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  Netscreen: DMZ Network Receives Some "Denied" Traffic

/* Fwd from Netscreen List */

Dear NetScreen Customer:

This is an important NetScreen Security Advisory.

DMZ Network Receives Some "Denied" Traffic
For release Friday, March 23 , 2001

An issue has been discovered (bug ID 8166) in all current versions of
ScreenOS software (ScreenOS release 1.64, 1.66, 2.01, and 2.5) for
NetScreen-10 and NetScreen-100 systems. The condition allows traffic that
should be blocked by the policy configuration, under certain
circumstances, to reach the DMZ network. Security for the trusted network
is not affected; the vulnerability does not allow "denied" traffic to
reach the trusted network. It appears that there is no way to exploit
this vulnerability to execute arbitrary commands on the device.

The condition exists in all modes of operation on the NetScreen-10 and
NetScreen-100 when the DMZ is active for network traffic. The
vulnerability manifests itself only after specific traffic patterns have
been present for some time. The result is that some packets that are
denied by the policy configuration in fact are allowed to pass to the DMZ
network. It does not allow all denied packets to pass; only a select few
packets may incorrectly be passed.

To date no malicious exploitation of the vulnerability has been reported.

A software fix has been created for this vulnerability and has been made
available to all affected customers. The impact is considered medium, and
NetScreen strongly encourages all affected users to update their version

This notice is being released in order to enable all affected NetScreen
customers to take immediate steps to remove this vulnerability. All
affected customers should read the details of this advisory and follow
the suggestions for correction as described in the FIXES section of this
advisory (below).

Who is Affected?
If you or your customers are using a NetScreen-10 or NetScreen-100
security appliance running a release of version 1.64, 1.66, 2.0, or 2.5
of the device's software then you are affected. If you or your customers
have any previous version of the appliance software then you may also be
susceptible, but it has not been tested.

Affected Devices:

      o        All NetScreen-10s
o        All NetScreen-100s

If you are unsure what version of the appliance software you are running,
the information is available from the CLI or the WebUI. To find out,
follow these simple instructions:

      o        At the WebUI, use the "Configure" button under system on
the left navigation panel.
o        From the CLI, at the prompt, issue the command "get system". The
second item displayed on the first line is "SW Version/Checksum:”
The number  immediately following this colon, before the "/" is the
running version.

The severity of the impact will vary based upon the device configuration
and environment. Though these conditions are rare in most networks, all
affected devices and configurations (see "Who is Affected") are advised
to assume the vulnerability could affect their network and take action
immediately to erase the vulnerability.

The vulnerability could be exploited to pass undesirable traffic to the
DMZ network, potentially impacting systems on that network.

Software Version and Fixes
All previous released versions of ScreenOS for NetScreen-10 and
NetScreen-100 are susceptible to the vulnerability.

The problem has been resolved in the following versions of ScreenOS:

Version                        Resolved In
1.6x                              1.66r2 for NetScreen-10 and

2.0                                2.01r8 for NetScreen-10 and

2.5                                2.5.0r6 for NetScreen-10 and

Customers are urged to upgrade to a supported release. Customers with a
non-release version of the appliance software based on either of these
release versions will want to check with their Technical Account Manager
or our Technical Support department to verify whether your version is
affected. Implementing the fixed software is a certain way to alleviate
any doubt.

Getting Fixed Software
If you have registered your product with NetScreen and have a service
contract, you can simply download the software from:

You will be prompted for your User ID and Password. Enter the whole or
part of your company name as your User ID and enter your registered
NetScreen device serial number as the password.

If you have not yet registered your product with NetScreen, you will need
to contact NetScreen Technical Support for special instructions on how to
obtain the fixed software. NetScreen Technical Support can be reached
from 8 a.m. to 5 p.m. pacific time Monday through Friday excluding
weekends and observed holidays. You may contact them via email at or by phone at 408-730-6000

Please reference this Advisory title as evidence of your entitlement to
the fixed software version.

NetScreen Authorized Partners have access to NetScreen software versions
and may also be a channel through which to obtain the new release.

Work Arounds
Do not use the DMZ for network traffic.

Exploitation, Announcement and Response
NetScreen has no reports of malicious exploitation of this vulnerability.
However, the nature of this vulnerability is such that it may be used to
create denial of service attacks.

NetScreen knows of no public announcements or discussion of this
vulnerability before the date of this notice.

This notice will be entered into NetScreen's Support Knowledge Base and
can be viewed by registered customers on our support web site at

In addition to Web posting, this advisory is being sent to the following
email lists:

      o        Identified affected customers
o        NetScreen Authorized Partners
o       Various internal NetScreen mail lists

This notice is copyright 2001 by NetScreen Technologies, Inc. This notice
may be redistributed freely after the release date given at the top of
the text, provided that redistributed copies are complete and unmodified,
including all date and version information.

Erik Parker
Mind Security

"If you think technology can solve your security problems,
then you don't understand the problems and you don't understand
the technology."


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC