Bugtraq mailing list archives
NetScreen ScreenOS 2.6 Subject to Trust Interface DoS
From: Chris Lathem <clathem () skyhawke com>
Date: 1 Feb 2002 15:06:49 -0000
Problem: NetScreen ScreenOS 2.6.1 subject to Trust Interface DoS Attack Company Info: NetScreen Technologies are the manufacturers of some of the industry's highest quality VPN and firewall equipment. For more information please see http://www.netscreen.com. What's affected: The ScreenOS is the heart of the NetScreen products. This allows for the firewall configuration/management. Apparently all versions before ScreenOS 3.1 are affected. This vulnerability can only occur from within the "trusted" network, or from a machine connected to the "trust" interface. External attempts will not cause any problems/DoS. Exploit: Someone within the trusted side of the network can attempt a portscan on an external IP address. When the scan runs it appears to consume all of the available sessions. This, in turn, causes a DoS to the entire trusted interface. The only way I got my device to recover quickly was to perform a reset. A recovery might be possible without a reset, but after about 5 minutes of waiting, mine never recovered. This exploit may or may not work on your device. My testing was performed on a NetScreen 5. The higher-end, more pricier models may take longer to "eat up" all the available sessions, thus taking longer for a DoS to occur. I have contacted NetScreen in regards to the issue. I received a response back that the problem is a known issue. It has been addressed in ScreenOS 3.1. An update to ScreenOS 3.1 is available for anyone with a NetScreen 200 or 500. For all other models, the update to ScreenOS 3.1 will be available on April 1, 2002. I'd love to hear if anyone else has noticed this, or if other models are affected by this issue. Cheers, Chris Lathem chris () lathemonline com http://www.lathemonline.com
Current thread:
- NetScreen ScreenOS 2.6 Subject to Trust Interface DoS Chris Lathem (Feb 01)
- Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... David P. Maynard (Feb 04)
- Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... Zeke Gibson [STI] (Feb 06)
- Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... David P. Maynard (Feb 06)
- Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... Zeke Gibson [STI] (Feb 06)
- <Possible follow-ups>
- RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS Dave Killion (Feb 01)
- RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS Alexander Poizner (Feb 03)
- Re: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS Drew Simonis (Feb 05)
- Re: PIX DOS (config problem) - Similar to NetScreen ScreenOS... David P. Maynard (Feb 04)