OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Erik Parker (eparkerMINDSEC.COM)
Date: Mon Mar 26 2001 - 14:32:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    /* Fwd from Netscreen List */

    Dear NetScreen Customer:

    This is an important NetScreen Security Advisory.

    -------------------------------------------------------------------------------
    ------------------------------
    DMZ Network Receives Some "Denied" Traffic
    -------------------------------------------------------------------------------
    ------------------------------
    For release Friday, March 23 , 2001

    An issue has been discovered (bug ID 8166) in all current versions of
    ScreenOS software (ScreenOS release 1.64, 1.66, 2.01, and 2.5) for
    NetScreen-10 and NetScreen-100 systems. The condition allows traffic that
    should be blocked by the policy configuration, under certain
    circumstances, to reach the DMZ network. Security for the trusted network
    is not affected; the vulnerability does not allow "denied" traffic to
    reach the trusted network. It appears that there is no way to exploit
    this vulnerability to execute arbitrary commands on the device.

    The condition exists in all modes of operation on the NetScreen-10 and
    NetScreen-100 when the DMZ is active for network traffic. The
    vulnerability manifests itself only after specific traffic patterns have
    been present for some time. The result is that some packets that are
    denied by the policy configuration in fact are allowed to pass to the DMZ
    network. It does not allow all denied packets to pass; only a select few
    packets may incorrectly be passed.

    To date no malicious exploitation of the vulnerability has been reported.

    A software fix has been created for this vulnerability and has been made
    available to all affected customers. The impact is considered medium, and
    NetScreen strongly encourages all affected users to update their version
    immediately.

    This notice is being released in order to enable all affected NetScreen
    customers to take immediate steps to remove this vulnerability. All
    affected customers should read the details of this advisory and follow
    the suggestions for correction as described in the FIXES section of this
    advisory (below).

    -------------------------------------------------------------------------------
    -----------------------------
    Who is Affected?
    -------------------------------------------------------------------------------
    -----------------------------
    If you or your customers are using a NetScreen-10 or NetScreen-100
    security appliance running a release of version 1.64, 1.66, 2.0, or 2.5
    of the device's software then you are affected. If you or your customers
    have any previous version of the appliance software then you may also be
    susceptible, but it has not been tested.

    Affected Devices:

          o All NetScreen-10s
    o All NetScreen-100s

    If you are unsure what version of the appliance software you are running,
    the information is available from the CLI or the WebUI. To find out,
    follow these simple instructions:

          o At the WebUI, use the "Configure" button under system on
    the left navigation panel.
    o From the CLI, at the prompt, issue the command "get system". The
    second item displayed on the first line is "SW Version/Checksum:”
    The number immediately following this colon, before the "/" is the
    running version.

    -------------------------------------------------------------------------------
    -----------------------------
    Impact
    -------------------------------------------------------------------------------
    -----------------------------
    The severity of the impact will vary based upon the device configuration
    and environment. Though these conditions are rare in most networks, all
    affected devices and configurations (see "Who is Affected") are advised
    to assume the vulnerability could affect their network and take action
    immediately to erase the vulnerability.

    The vulnerability could be exploited to pass undesirable traffic to the
    DMZ network, potentially impacting systems on that network.

    -------------------------------------------------------------------------------
    ---------------------------
    Software Version and Fixes
    -------------------------------------------------------------------------------
    ---------------------------
    All previous released versions of ScreenOS for NetScreen-10 and
    NetScreen-100 are susceptible to the vulnerability.

    The problem has been resolved in the following versions of ScreenOS:

    Version Resolved In
    1.6x 1.66r2 for NetScreen-10 and
    NetScreen-100

    2.0 2.01r8 for NetScreen-10 and
    NetScreen-100

    2.5 2.5.0r6 for NetScreen-10 and
    NetScreen-100

    Customers are urged to upgrade to a supported release. Customers with a
    non-release version of the appliance software based on either of these
    release versions will want to check with their Technical Account Manager
    or our Technical Support department to verify whether your version is
    affected. Implementing the fixed software is a certain way to alleviate
    any doubt.

    -------------------------------------------------------------------------------
    -----------------------------
    Getting Fixed Software
    -------------------------------------------------------------------------------
    -----------------------------
    If you have registered your product with NetScreen and have a service
    contract, you can simply download the software from:
    http://www.netscreen.com/support/updates.html

    You will be prompted for your User ID and Password. Enter the whole or
    part of your company name as your User ID and enter your registered
    NetScreen device serial number as the password.

    If you have not yet registered your product with NetScreen, you will need
    to contact NetScreen Technical Support for special instructions on how to
    obtain the fixed software. NetScreen Technical Support can be reached
    from 8 a.m. to 5 p.m. pacific time Monday through Friday excluding
    weekends and observed holidays. You may contact them via email at
    supportnetscreen.com or by phone at 408-730-6000

    Please reference this Advisory title as evidence of your entitlement to
    the fixed software version.

    NetScreen Authorized Partners have access to NetScreen software versions
    and may also be a channel through which to obtain the new release.

    -------------------------------------------------------------------------------
    ------------------------------
    Work Arounds
    -------------------------------------------------------------------------------
    ------------------------------
    Do not use the DMZ for network traffic.

    -------------------------------------------------------------------------------
    ------------------------------
    Exploitation, Announcement and Response
    -------------------------------------------------------------------------------
    ------------------------------
    NetScreen has no reports of malicious exploitation of this vulnerability.
    However, the nature of this vulnerability is such that it may be used to
    create denial of service attacks.

    NetScreen knows of no public announcements or discussion of this
    vulnerability before the date of this notice.

    -------------------------------------------------------------------------------
    --------------------------------
    Distribution
    -------------------------------------------------------------------------------
    --------------------------------
    This notice will be entered into NetScreen's Support Knowledge Base and
    can be viewed by registered customers on our support web site at
    http://www.netscreen.com/support

    In addition to Web posting, this advisory is being sent to the following
    email lists:

          o Identified affected customers
    o NetScreen Authorized Partners
    o Various internal NetScreen mail lists

    ===============================================================================
    This notice is copyright 2001 by NetScreen Technologies, Inc. This notice
    may be redistributed freely after the release date given at the top of
    the text, provided that redistributed copies are complete and unmodified,
    including all date and version information.
    ===============================================================================

    Erik Parker
    Mind Security

    "If you think technology can solve your security problems,
    then you don't understand the problems and you don't understand
    the technology."