SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Juniper ScreenOS Vendors:   NetScreen
NetScreen 'Malicious-URL' Feature Can By Bypassed By Remote Users Via IP Fragmentation
SecurityTracker Alert ID:  1005710
SecurityTracker URL:  http://securitytracker.com/id/1005710
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 26 2002
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.7.1, 2.8, 3.0, 3.1, 4.0
Description:   A vulnerability was reported in NetScreen's 'Malicious-URL' feature. A remote user can bypass the filter.

CIRT.net reported a flaw in the 'Malicious-URL' blocking feature. The feature allows the firewall adminsitrator to define a malicious URL pattern that is to be blocked. However, it is reported that if the URL in the HTTP header is split into several IP fragments, the feature can be circumvented.

Impact:   A remote user can bypass the protection mechanism and access protected URLs.
Solution:   The vendor has released a fixed version (4.0.1).
Vendor URL:  www.netscreen.com/support/alerts/malicious_URL.html (Links to External Site)
Cause:   State error

Message History:   None.


 Source Message Contents

Subject:  Netscreen Malicious URL feature can be bypassed by fragmenting the request


Netscreen Malicious URL feature can be bypassed by fragmenting the request
http://www.cirt.net/advisories/netscreen.shtml

Product Description:
NetScreen Technologies Inc. is a leading developer of integrated network
security solutions that offer the security, performance and total cost of
ownership required by enterprises and carriers. NetScreen's innovative
solutions provide key security technologies, such as virtual private
network, denial of service protection, firewall and intrusion prevention, in
a line of easy-to-manage security appliances and systems.  NetScreen has
created a new function to assist in the containment of malicious worms
called the "User-Definable Malicious URL" feature.  This will cause
requests to be blocked that match the defined pattern.

Event Description:
From the command line a firewall administrator can define a Malicious URL
pattern to be blocked.  However, if a segmented request for a blocked
pattern is fragmented in the middle of the pattern, it will not be matched.
This can be accomplished using a tool such as fragroute available at
http://www.monkey.org/~dugsong/fragroute/

Risk Explanation:
The product does not function properly to help contain malicious worms

Applications Affected:
Tested on NS-100, SW v3.0.1r2.0, HW Version: 3110

Solution:
Upgrade to ScreenOS 4.0.1 release, which addresses the circumvention of the
Malicious URL feature using IP fragments.  Netscreen will make the release
available to their customers by 1:00PM on Monday (11/25/2002).

Timeline:
- The problem was reported to Netscreen via E-Mail on Tuesday, October 08,
2002 11:23 PM.
- Another email was sent to Netscreen vial E-Mail on Tuesday, November 12,
2002 12:35 AM
- Response #1 was received acknowledging the issue on Thursday, November 14,
2002 9:25 PM
- Response #2 was received will the solution on Saturday, November 23, 2002
5:44 PM

Vendor Status:
Response #1: "NetScreen has received your e-mail regarding the Malicious URL
feature and we are currently in the process of developing a formal response
to this issue.  We are also readying changes to our product addressing this
issue which will be included in the upcoming ScreenOS 4.0.1 release.  We
request that you delay publicly announcing this issue until we have
officially released that software. We intend to release ScreenOS 4.0.1
before Thanksgiving.  We will contact you before the release date to
coordinate our announcements. Thank you for your cooperation."

Response #2: "We have finished the ScreenOS 4.0.1 release, which addresses
the circumvention of the Malicious URL feature using IP fragments.  We are
making the release available to our customers by 1:00PM on Monday (11/25).
We will be releasing a formal statement to bugtraq and CERT approximately 15
minutes later (at 1:15PM.)  If you will release an announcement of your own,
please refrain from sending them prior to our 11/25 1:00PM release date.  We
are delaying our alerts by 15 minutes in order for your announcement to
appear first. Thank you again for cooperating with our release schedule."

Contacts:
zel@firewallmonkeys.com
zel@cirt.net




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC