NetScreen 'Malicious-URL' Feature Can By Bypassed By Remote Users Via IP Fragmentation
SecurityTracker Alert ID: 1005710|
SecurityTracker URL: http://securitytracker.com/id/1005710
(Links to External Site)
Date: Nov 26 2002
Host/resource access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 2.7.1, 2.8, 3.0, 3.1, 4.0|
A vulnerability was reported in NetScreen's 'Malicious-URL' feature. A remote user can bypass the filter.|
CIRT.net reported a flaw in the 'Malicious-URL' blocking feature. The feature allows the firewall adminsitrator to define a malicious URL pattern that is to be blocked. However, it is reported that if the URL in the HTTP header is split into several IP fragments, the feature can be circumvented.
A remote user can bypass the protection mechanism and access protected URLs.|
The vendor has released a fixed version (4.0.1).|
Vendor URL: www.netscreen.com/support/alerts/malicious_URL.html (Links to External Site)
Source Message Contents
Subject: Netscreen Malicious URL feature can be bypassed by fragmenting the request|
Netscreen Malicious URL feature can be bypassed by fragmenting the request
NetScreen Technologies Inc. is a leading developer of integrated network
security solutions that offer the security, performance and total cost of
ownership required by enterprises and carriers. NetScreen's innovative
solutions provide key security technologies, such as virtual private
network, denial of service protection, firewall and intrusion prevention, in
a line of easy-to-manage security appliances and systems. NetScreen has
created a new function to assist in the containment of malicious worms
called the "User-Definable Malicious URL" feature. This will cause
requests to be blocked that match the defined pattern.
From the command line a firewall administrator can define a Malicious URL
pattern to be blocked. However, if a segmented request for a blocked
pattern is fragmented in the middle of the pattern, it will not be matched.
This can be accomplished using a tool such as fragroute available at
The product does not function properly to help contain malicious worms
Tested on NS-100, SW v3.0.1r2.0, HW Version: 3110
Upgrade to ScreenOS 4.0.1 release, which addresses the circumvention of the
Malicious URL feature using IP fragments. Netscreen will make the release
available to their customers by 1:00PM on Monday (11/25/2002).
- The problem was reported to Netscreen via E-Mail on Tuesday, October 08,
2002 11:23 PM.
- Another email was sent to Netscreen vial E-Mail on Tuesday, November 12,
2002 12:35 AM
- Response #1 was received acknowledging the issue on Thursday, November 14,
2002 9:25 PM
- Response #2 was received will the solution on Saturday, November 23, 2002
Response #1: "NetScreen has received your e-mail regarding the Malicious URL
feature and we are currently in the process of developing a formal response
to this issue. We are also readying changes to our product addressing this
issue which will be included in the upcoming ScreenOS 4.0.1 release. We
request that you delay publicly announcing this issue until we have
officially released that software. We intend to release ScreenOS 4.0.1
before Thanksgiving. We will contact you before the release date to
coordinate our announcements. Thank you for your cooperation."
Response #2: "We have finished the ScreenOS 4.0.1 release, which addresses
the circumvention of the Malicious URL feature using IP fragments. We are
making the release available to our customers by 1:00PM on Monday (11/25).
We will be releasing a formal statement to bugtraq and CERT approximately 15
minutes later (at 1:15PM.) If you will release an announcement of your own,
please refrain from sending them prior to our 11/25 1:00PM release date. We
are delaying our alerts by 15 minutes in order for your announcement to
appear first. Thank you again for cooperating with our release schedule."