NetScreen 5GT Input Validation Bug in Anti-Virus Engine Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1010619|
SecurityTracker URL: http://securitytracker.com/id/1010619
(Links to External Site)
Date: Jun 30 2004
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.0.0r1 - 5.0.0r7|
An input validation vulnerability was reported in the NetScreen 5GT firewall series in the anti-virus engine. A remote user can conduct cross-site scripting attacks.|
The vendor reported that a remote user can create a zip archive containing a specially named file with a virus in it. Then, when the anti-virus engine detects the virus, a display dialog box will be generated, presenting the name of the infected file. If the name of the infected file contains HTML code, then arbitrary scripting code will be executed by the target user's browser when the dialog box is displayed. The code will originate from the firewall and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the firewall, access data recently submitted by the target user via web form to the firewall, or take actions on the firewall acting as the target user.
The advisory indicated that only the NetScreen 5GT firewalls with AV are affected.
The original advisory is available at:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the firewall, access data recently submitted by the target user via web form to the firewall, or take actions on the firewall acting as the target user.|
The vendor has released a fixed version (5.0.0r8), available at:|
Vendor URL: www.juniper.net/support/nscn_support/security/alerts/screenos-av-xss-2.txt (Links to External Site)
Input validation error|
Source Message Contents
-----BEGIN PGP SIGNED MESSAGE-----
Title: Juniper NetScreen Advisory 59147
Date: 29 June 2004
Possible HTTP cross-site script execution.
Juniper Networks NetScreen 5GT Firewalls with AV 5.0.0r1 - 5.0.0r7
Juniper Networks NetScreen 5GT Firewalls without AV (all versions)
All other Juniper Networks NetScreen Firewalls (all versions)
Max Risk: Medium
The Juniper Networks NetScreen 5GT Firewall has a HTTP cross-site scripting
vulnerability in the antivirus scan engine.
The antivirus scan engine in the Juniper Networks NetScreen 5GT Firewall is
susceptible to an HTTP cross-site scripting vulnerability.
When a user downloads Internet content using a Web browser, the antivirus scan
engine scans the contents for viruses. If the file is a zip archive, the scan
engine examines the member files within the archive. When a virus is detected,
the user is presented with a virus notification dialog containing the name of
the infected archive member. If an attacker manually crafts a zip archive
containing a virus-infected file with a specially formatted filename, the
notification dialog could present a cross-site scripting vulnerability.
Upgrade to ScreenOS 5.0.0r8 which fixes this issue. Customers unable to
upgrade to 5.0.0r8 at this time can disable HTTP protocol scanning in the Scan
NetScreen currently has ScreenOS version 5.0.0r8 available for Juniper
Networks NetScreen Firewalls.
How to get ScreenOS:
Customers with a valid product warranty or a support contract may download the
software from the Juniper NetScreen CSO web portal:
For all other customers, including those with expired support contracts, please
call your regional Juniper NetScreen TAC center at one of the numbers
listed in: http://www.juniper.net/support/nscn_support/tao/contact.html
Select option 2 from the telephone menu and be sure to select the correct
product from the phone tree. Once connected with an engineer state that you
are calling in regards to a Security Advisory and provide the title of this
notice as evidence of your entitlement to the specified release.
As with any new software installation, Juniper customers planning to upgrade
to any version of ScreenOS should carefully read the release notes and other
relevant documentation before beginning any upgrade.
If you wish to verify the validity of this Security Advisory, the public PGP
key can be accessed at:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: NetScreen Security Response Team <email@example.com>
-----END PGP SIGNATURE-----