Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   Juniper ScreenOS Vendors:   NetScreen
NetScreen HTTP, Telnet, and FTP Authentication Feature Can Be Bypassed in Certain Cases
SecurityTracker Alert ID:  1007058
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 25 2003
Impact:   Host/resource access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.0.2 and prior versions
Description:   A vulnerability was reported in NetScreen's ScreenOS operating system. A remote user can bypass an authentication feature in certain cases to access systems located behind the firewall.

It is reported that a remote user can spoof the IP address of a user that has been authenticated to access ostensibly protected resources when user authentication via the local database is enabled. The affected authentication feature reportedly performs IP source address authentication only, which can be readily bypassed by spoofing or hijacking techniques or by simply using the same IP address.

Impact:   A remote user can gain access through the firewall to ostensibly protected resources by using (or spoofing) the IP address of a user that has previously authenticated from that IP address.
Solution:   No solution was available at the time of this entry. The vendor has noted that this observed behavior is a limitation of source IP address authentication. The vendor has published the following article on the topic:

Vendor URL: (Links to External Site)
Cause:   Authentication error

Message History:   None.

 Source Message Contents

Subject:  Authentication Vulnerability in NetScreen ScreenOS

Authentication Vulnerability in NetScreen ScreenOS

Versions affected: ScreenOS 4.0.2r2.0 - possibly all versions

Summary of problem: NetScreen firewalls have a feature that if 
enabled, requires users to provide a username and password to access  
resources and services behind a firewall, such as http (80/tcp). 
However, after a user is authenticated, anyone else may also access 
the protected services if they orginate from the same source IP 
address (NAT'd network). The authentication mechanism is designed to 
authenticate based on source-ip address only. This can expose 
protected systems to unauthorized access if it is enabled.

After searching through the NetScreen documentation, I was unable to 
find any warning about this. NetScreen does not inform the firewall 
administrator of this design.

Thus, we contacted NetScreen. Below is the request to and the reply 
from NetScreen Support.

I am posting this so that anyone that uses this sort of authentication 
on the Netscreen is aware of this problem.

Submitted 05/23/2003

I am running ScreenOS 4.0.2r2.0.  I use the feature for user 
authentication via local DB.  I have discovered that if a valid user 
connects to my network, and is properly authenticated by the 
netscreen, and if that user is originating from a NATed network, then 
my netscreen will proceed to allow anybody else coming from that same 
NATed source network.  
This exposes my systems to attack and possible compromise from others 
on that NATed network who might happen to attempt connections to my 
systems (covered in the associated policies).

Maybe this has been corrected in more recent versions of ScreenOS.  If 
so, then I have difficulties, since my 90 day access to software  
upgrades has lapsed.

Maybe there is some additional configuration setting that I must use 
in order to address this.

Your help would be appreciated.  Thanks.

Recieved 05/23/2003

Dear Valued Customer,

Thank you for contacting us at the NetScreen Technical Assistance 

The current authentication mechanism is designed to authenticate based 
on source-ip address only.  So if multiple users access NetScreen from 
the same source-ip, then once the NetScreen authenticates the first 
user, an Authentication session is established and the NetScreen will 
allow all the other users access without authenticating since they 
have the same source-ip address.

That means other users from the same LAN can go through without being 
challenged for authentication. Unfortunately, there is no workaround 
for this.  If authentication is required in this topology, it is 
recommended that authentication occur at the first NAT device, before 
it reaches the NetScreen. You can find more information regarding the 
same issue on the following URL:

Thank you.

Technical Assistance Center-eSupport Division
NetScreen Technologies, Inc.
408-543-2100 Main
877-638-7273 technical support


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC