Bugtraq mailing list archives
Netscreen: DMZ Network Receives Some "Denied" Traffic
From: Erik Parker <eparker () MINDSEC COM>
Date: Mon, 26 Mar 2001 12:32:33 -0800
/* Fwd from Netscreen List */
Dear NetScreen Customer:
This is an important NetScreen Security Advisory.
-------------------------------------------------------------------------------
------------------------------
DMZ Network Receives Some "Denied" Traffic
-------------------------------------------------------------------------------
------------------------------
For release Friday, March 23 , 2001
An issue has been discovered (bug ID 8166) in all current versions of
ScreenOS software (ScreenOS release 1.64, 1.66, 2.01, and 2.5) for
NetScreen-10 and NetScreen-100 systems. The condition allows traffic that
should be blocked by the policy configuration, under certain
circumstances, to reach the DMZ network. Security for the trusted network
is not affected; the vulnerability does not allow "denied" traffic to
reach the trusted network. It appears that there is no way to exploit
this vulnerability to execute arbitrary commands on the device.
The condition exists in all modes of operation on the NetScreen-10 and
NetScreen-100 when the DMZ is active for network traffic. The
vulnerability manifests itself only after specific traffic patterns have
been present for some time. The result is that some packets that are
denied by the policy configuration in fact are allowed to pass to the DMZ
network. It does not allow all denied packets to pass; only a select few
packets may incorrectly be passed.
To date no malicious exploitation of the vulnerability has been reported.
A software fix has been created for this vulnerability and has been made
available to all affected customers. The impact is considered medium, and
NetScreen strongly encourages all affected users to update their version
immediately.
This notice is being released in order to enable all affected NetScreen
customers to take immediate steps to remove this vulnerability. All
affected customers should read the details of this advisory and follow
the suggestions for correction as described in the FIXES section of this
advisory (below).
-------------------------------------------------------------------------------
-----------------------------
Who is Affected?
-------------------------------------------------------------------------------
-----------------------------
If you or your customers are using a NetScreen-10 or NetScreen-100
security appliance running a release of version 1.64, 1.66, 2.0, or 2.5
of the device's software then you are affected. If you or your customers
have any previous version of the appliance software then you may also be
susceptible, but it has not been tested.
Affected Devices:
o All NetScreen-10s
o All NetScreen-100s
If you are unsure what version of the appliance software you are running,
the information is available from the CLI or the WebUI. To find out,
follow these simple instructions:
o At the WebUI, use the "Configure" button under system on
the left navigation panel.
o From the CLI, at the prompt, issue the command "get system". The
second item displayed on the first line is "SW Version/Checksum:”
The number immediately following this colon, before the "/" is the
running version.
-------------------------------------------------------------------------------
-----------------------------
Impact
-------------------------------------------------------------------------------
-----------------------------
The severity of the impact will vary based upon the device configuration
and environment. Though these conditions are rare in most networks, all
affected devices and configurations (see "Who is Affected") are advised
to assume the vulnerability could affect their network and take action
immediately to erase the vulnerability.
The vulnerability could be exploited to pass undesirable traffic to the
DMZ network, potentially impacting systems on that network.
-------------------------------------------------------------------------------
---------------------------
Software Version and Fixes
-------------------------------------------------------------------------------
---------------------------
All previous released versions of ScreenOS for NetScreen-10 and
NetScreen-100 are susceptible to the vulnerability.
The problem has been resolved in the following versions of ScreenOS:
Version Resolved In
1.6x 1.66r2 for NetScreen-10 and
NetScreen-100
2.0 2.01r8 for NetScreen-10 and
NetScreen-100
2.5 2.5.0r6 for NetScreen-10 and
NetScreen-100
Customers are urged to upgrade to a supported release. Customers with a
non-release version of the appliance software based on either of these
release versions will want to check with their Technical Account Manager
or our Technical Support department to verify whether your version is
affected. Implementing the fixed software is a certain way to alleviate
any doubt.
-------------------------------------------------------------------------------
-----------------------------
Getting Fixed Software
-------------------------------------------------------------------------------
-----------------------------
If you have registered your product with NetScreen and have a service
contract, you can simply download the software from:
http://www.netscreen.com/support/updates.html
You will be prompted for your User ID and Password. Enter the whole or
part of your company name as your User ID and enter your registered
NetScreen device serial number as the password.
If you have not yet registered your product with NetScreen, you will need
to contact NetScreen Technical Support for special instructions on how to
obtain the fixed software. NetScreen Technical Support can be reached
from 8 a.m. to 5 p.m. pacific time Monday through Friday excluding
weekends and observed holidays. You may contact them via email at
support () netscreen com or by phone at 408-730-6000
Please reference this Advisory title as evidence of your entitlement to
the fixed software version.
NetScreen Authorized Partners have access to NetScreen software versions
and may also be a channel through which to obtain the new release.
-------------------------------------------------------------------------------
------------------------------
Work Arounds
-------------------------------------------------------------------------------
------------------------------
Do not use the DMZ for network traffic.
-------------------------------------------------------------------------------
------------------------------
Exploitation, Announcement and Response
-------------------------------------------------------------------------------
------------------------------
NetScreen has no reports of malicious exploitation of this vulnerability.
However, the nature of this vulnerability is such that it may be used to
create denial of service attacks.
NetScreen knows of no public announcements or discussion of this
vulnerability before the date of this notice.
-------------------------------------------------------------------------------
--------------------------------
Distribution
-------------------------------------------------------------------------------
--------------------------------
This notice will be entered into NetScreen's Support Knowledge Base and
can be viewed by registered customers on our support web site at
http://www.netscreen.com/support
In addition to Web posting, this advisory is being sent to the following
email lists:
o Identified affected customers
o NetScreen Authorized Partners
o Various internal NetScreen mail lists
===============================================================================
This notice is copyright 2001 by NetScreen Technologies, Inc. This notice
may be redistributed freely after the release date given at the top of
the text, provided that redistributed copies are complete and unmodified,
including all date and version information.
===============================================================================
Erik Parker
Mind Security
"If you think technology can solve your security problems,
then you don't understand the problems and you don't understand
the technology."
Current thread:
- Netscreen: DMZ Network Receives Some "Denied" Traffic Erik Parker (Mar 26)