Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Firewall)  >   Juniper ScreenOS Vendors:   NetScreen
NetScreen Firewalls Can Be Crashed By Remote Users When SSH is Enabled for Remote Management
SecurityTracker Alert ID:  1005512
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Nov 1 2002
Original Entry Date:  Nov 1 2002
Impact:   Denial of service via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Confirmed on NetScreen-25; others may be affected
Description:   A denial of service vulnerability was reported in NetScreen's firewall products. A remote user may be able to cause the device to crash if SSH is enabled on the device.

A remote user can send malformed messages to the SSH management port to cause the device to crash, requiring a hard reboot to return to normal operations.

The crash can reportedly be triggered by exploit utilities built to test the SSH1 CRC32 compensation attack detector code flaw that was reported in February 2001 by BindView RAZOR as a general SSH bug. However, the vendor indicates that the NetScreen bug is not the CRC32 bug, but rather, is a new bug in their implementation. HD Moore at Digital Defense is credited with discovering the new bug.

According to the report, SSH is not enabled by default and, when it is enabled, is usually configured for access from the trusted interface only.

Impact:   A remote user can cause the device to crash. A hard boot is required to return the device to normal operation.
Solution:   No solution was available at the time of this entry.

The vendor reportedly plans to release a fix shortly.

As a temporary workaround, users can disable the SSH management port until a fix is available.

Vendor URL: (Links to External Site)
Cause:   Exception handling error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: NetScreen Firewalls Can Be Crashed By Remote Users When SSH is Enabled for Remote Management
NetScreen has issued a fix.

 Source Message Contents

Subject:  [VulnWatch] Netscreen SSH1 CRC32 Compensation Denial of service

Discovered by: HD Moore
Products Tested: Netscreen-25 (All models expected to be vulnerable)
Vendor contacted: October 23rd
Vendor confirmed: October 23rd
CVE: CVE-2001-0144 covered this bug.

Original Bug discovered by: Michal Zalewski of the BindView RAZOR Team.

In February of 2001, BindView's RAZOR Team announced the SSH1 CRC32 
compensation attack detector bug. After all was said and done, several 
vendors found their SSH implementations were vulnerable.  Netscreen seems 
to have overlooked this for a year and 8 months.

By default the Netscreen does not ship with SSH enabled, and Netscreen 
usually doesn't encourage their customers to even access the CLI on their 
devices. However, in the GUI you can enabled SSH, and disable telnet. This 
only opens SSH on the trusted interfaces, unless you specifically add 
rules to forward to this interface/port. On a normal system with SSH 
enabled, the unit will only be vulnerable to attackers on the trusted side.

If you use any of the CRC32 exploits out there, the unit will crash 
immediately, and require a hard reboot. It does not appear from our 
analysis that anything more than a crash can occur from this. 

The vendor assured a response with an ETA to a fix by October 25th. After 
trying to get more information from them a few times after October 25th 
passed, it has fallen on deaf ears. 

Erik Parker
Digital Defense, Inc.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC