SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Juniper ScreenOS Vendors:   NetScreen
(Vendor Issues Fix) Re: NetScreen ScreenOS Can Be Crashed By Remote Users Sending Packets With Certain TCP Window Sizes
SecurityTracker Alert ID:  1007343
SecurityTracker URL:  http://securitytracker.com/id/1007343
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 31 2003
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0.1r1 through 4.0.1r6 and also 4.0.3r1 and 4.0.3r2
Description:   A denial of service vulnerability was reported in NetScreen's ScreenOS. A remote user can cause the firewall device to crash and reboot.

It is reported that a remote user can cause the NetScreen 204 and 208 devices running ScreenOS 4.0.3r2 to crash by connecting to a management port (e.g., ssh, telnet, http) using a certain TCP Windows size. Only systems that have one or more management ports enabled are affected.

As a demonstration exploit, you can reportedly set the following Windows 2000 SP1/SP2 registry values:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD Value

Tcp1323Opts
HEX
3

TcpWindowSize
Decimal
131400

Impact:   A remote user can connect to an enabled management port to cause the system to crash and reboot.
Solution:   NetScreen has confirmed the flaw, but indicates that the SSH port is not affected. The vendor confirms that the Telnet and WebUI (HTTP/HTTPS) management ports and the WebAuth authentication service (HTTP/HTTPS) are affected.

The ProxyAuth firewall authentication service is reportedly not affected.

The vendor has issued fixed versions (4.0.1 maintenance release r7, 4.0.3 maintenance release r3) of ScreenOS. In addition to upgrading, the vendor recommends that you:

- restrict administrative access to known administrative hosts using the 'set admin
manager-ip ...' feature.

- use the ScreenOS' anti-spoofing feature to prevent spoofed manager IP's from originating from non-manager subnets.

- disable management on all interfaces not facing the IT management network (e.g., NOC, SOC).

- use ProxyAuth instead of WebAuth for policy authentication.

- use SSH instead of Telnet for remote NetScreen management.

Vendor URL:  www.netscreen.com/services/security/alerts/advisory-57739.txt (Links to External Site)
Cause:   Exception handling error

Message History:   This archive entry is a follow-up to the message listed below.
Jul 29 2003 NetScreen ScreenOS Can Be Crashed By Remote Users Sending Packets With Certain TCP Window Sizes



 Source Message Contents

Subject:  http://www.netscreen.com/services/security/alerts/advisory-57739.txt


NetScreen issued Advisory 57739 warning that a remote user can use a certain TCP option to 
cause a NetScreen Security Device to reboot.

Vulnerable Products: NetScreen Firewall/VPN products running ScreenOS 4.0.1r1 through 
4.0.1r6 and 4.0.3r1 and 4.0.3r2

The following products are reportedly not affected:  NetScreen IDP, NetScreen Firewall/VPN 
products running ScreenOS 3 and below, 4.0.0, 4.0.1r7 and higher, 4.0.2, 4.0.3r3 and higher.

The Telnet and WebUI (HTTP/HTTPS) management ports and the WebAuth authentication service 
(HTTP/HTTPS) are affected.

The SSH port is reportedly not affected.  The ProxyAuth firewall authentication service is 
not affected.

The vendor recommends that you:

- restrict administrative access to known administrative hosts using the 'set admin 
manager-ip ...' feature.

- use the ScreenOS' anti-spoofing feature to prevent spoofed manager IP's from originating 
from non-manager subnets.

- disable management on all interfaces not facing the IT management
network (NOC/SOC/etc).

- use ProxyAuth instead of WebAuth for policy authentication.

- use SSH instead of Telnet for remote NetScreen management.

The vendor recommends that you upgrade to ScreenOS 4.0.1 maintenance release r7 or 
ScreenOS 4.0.3 maintenance release r3.


-----

Max Risk: Medium




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC