Potential H.323 Denial of Service

[NetScreen Security Response Team <security-alert () netscreen com>]

Title: NetScreen Security Alert 52020

Date: 25 November 2002

Description: Potential H.323 Denial of Service

Impact: Complete Denial of Service

Affected Products: All firewall/VPN appliances and systems

Affected Software Releases: ScreenOS 2.8, 3.0, 3.1, 4.0

Summary:

A vulnerability has been reported and confirmed regarding the processing of H.323 control sessions that can lead to the 
consumption of all firewall session table entries, resulting in denial of service to the protected network resources.

This vulnerability only exists in ScreenOS versions 2.8 and later.

Half-open sessions were not reclaimed at normal garbage collection intervals, but persisted in the session table until 
the defined H.323 session timeout interval, typically 36 hours.

This vulnerability only affects configurations which explicitly permit the forwarding of traffic identified using the 
predefined services named H.323 or Netmeeting. The attack must match the permitted traffic flow, constraining the 
attacker to security zones permitted to initiate H.323 traffic. Since the source IP can easily be spoofed, matching the 
exact attacker within the permitted security zone can be difficult to impossible.

Recommended Actions:

Any or all of

(1) Install one of the maintenance releases indicated below.

(2) Upgrade to ScreenOS 4.0.1

(3) Block H.323 traffic. If this is not feasible, carefully re-examine your defined security policies using H.323 to 
minimize exposure to unanticipated sessions.

(4) Adjust the H.323 session timeout to the lowest feasible value for your environment and tolerances.

Release Schedule:

For a complete release schedule, please visit:

http://www.netscreen.com/support/alerts/Potential_H_323_Denial_of_Service.html

How to Get ScreenOS:

If you have registered your product with NetScreen and have a valid service contract, you can simply download the 
software from:
http://www.netscreen.com/support/updates.html

You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and 
enter your registered NetScreen device serial number as the password.

If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for 
special instructions on how to obtain the fixed software. NetScreen Technical Support is available 24 hours a day, 365 
days a year. Contact information can be located at http://www.netscreen.com/support/technical_assistance.html

Please reference this Advisory title as evidence of your entitlement to the fixed software version.

NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through 
which to obtain the new release.


Acknowledgement to Stephen Gill for disclosing the H.323 DoS issue to NetScreen.