SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Juniper ScreenOS Vendors:   Juniper
Juniper NetScreen ScreenOS Discloses Firmware Version Information to Remote Users
SecurityTracker Alert ID:  1022123
SecurityTracker URL:  http://securitytracker.com/id/1022123
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 27 2009
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to versions 6.2.0r2.0, 6.2R2, and 5.4.0r12
Description:   A vulnerability was reported in Juniper NetScreen ScreenOS. A remote user can determine the active ScreenOS version number.

A remote user can request the 'about.html' file from the web interface to determine the version number and patch level of the firmware running on the target device.

The vendor was notified on March 22, 2009.

Richard Brain of ProCheckUp Ltd (www.procheckup.com) reported this vulnerability.

Impact:   A remote user can determine the firmware version number.
Solution:   The vendor has issued a fix (6.2.0r2.0, 6.2R2, and 5.4.0r12).

No vendor advisory was available at the time of this entry.

Vendor URL:  www.juniper.net/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  Juniper Advisory

PR09-05: ScreenOS remote information disclosure on Juniper Netscreen ScreenOS Firewalls

Vulnerability found: 22nd March 2009

Vendor informed: 22nd March 2009

Severity: Low (information disclosure)

Description:

By simply requesting the about.html file, the firewall returns the version of ScreenOS and patch level used and the feature set.
No authentication is needed to retrieve this information on the firewall's OS. It is common to find exposed ScreenOS WebUI firewall
 management front-ends on the Internet, attackers might use the exposed information to carry out targeted attacks knowing the version
 and patch level of the firmware used.  


Successfully tested on:
Juniper Networks SSG 320 ScreenOS Version: 6.2.0r1.0
Juniper Networks netscreen SSG 520 ScreenOS Version:6.1.0r1.0
Juniper Networks netscreen 208 ScreenOS Version: 5.4.0r10.0

Proof of concept:

http://target-domain.foo/about.html
https://target-domain.foo/about.html

Returns:

                Juniper Networks, Inc.

                Version: 6.2.0r1.0 (Firewall+VPN)

                ScreenOS WebUI
                All Rights Reserved.


                For the latest technical information visit:
                http://www.juniper.net


Consequences: 

A remote attacker could recover information with regards to the target site's operating system version and patch level. 

This kind of information might be useful to attackers in certain scenarios. i.e.: when attempting to exploit published 

vulnerabilities in a outdated version of ScreenOS.


Fix:

Ensure that the firewall's management interface is disabled on the Internet connected interface, by disabling WeBUI within service
 

options on the Internet connected interface.

Juniper Networks have released the 6.2.0r2.0, 6.2R2 and 5.4.0r12 software updates on the 8th April 2009 which solves the issue.

Vendor feedback:-

Juniper stated that no security advisory is needed to be released due to the low CVSS score of the vulnerability, and Juniper knew
 of the issue already. 

Procheckup found this issue affected different Juniper firewall firmware, going back to at least 2006. 

References: 

http://www.procheckup.com/Vulnerabilities.php
http://www.juniper.net/us/en/products-services/security/ssg-series/

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)


Legal:

Copyright 2009 Procheckup Ltd. All rights reserved.

Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to 

problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to Procheckup, and provided such 

reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited. Procheckup is not liable for any misuse of this information by any third party.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC