Title:
NetScreen Security Advisory 57226
Date: 16 April 2003
Impact: Weaker IPSec Tunnel Security Than Intended
Affected Products: Global PRO Policy Manager versions 4.0.0r1 through 4.0.0r5;
4.1.0r1
Max Risk: Medium
Summary:
An error in the Global PRO Policy Manager definitions for IPSec phase 1 and phase 2 proposals using the AES cryptographic algorithms causes VPN configurations in NetScreen firewall/VPN appliances and systems to use the DES cryptographic algorithm instead of the expected AES128.
All VPNs defined
on NetScreen devices managed by Global PRO using the predefined proposals
named "g2-aes128-sha", "g2-aes128-md5", "esp-aes128-sha",
and "esp-aes128-md5" are affected.
Recommended Actions:
(1) Create custom proposals for IPSec phase 1 and phase 2 using AES128 as the cryptographic algorithm.
(2) Update all affected VPN configurations to use these custom proposals.
(3) As soon as practical, upgrade your Global PRO to the maintenance release identified below or a later version.
Global PRO 4.1.1, targeted for release on 5/15, will address this issue. New
VPNs created after installing or upgrading to this release will not be prone
to this issue. Upon upgrading to this release and pushing configuration to
the devices, previously existing VPNs will also be fixed.
If you have a
release of Global PRO not addressed by the maintenance release above, please
contact support@netscreen.com.
How to Get Global PRO:
If you have registered
your product with NetScreen and have a valid service contract, you can simply
download the software from:
http://www.juniper.net/support/nscn_support/tao/latest_sw.html
You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password.
If you have not
yet registered your product with NetScreen, you will need to contact NetScreen
Technical Support for special instructions on how to obtain the fixed software.
NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. Pacific time
Monday through Friday excluding weekends and observed holidays.
You may contact them via email at: support@netscreen.com
or via phone at: 877-638-7273 or 408-543-2100 Option #1
Please reference this Advisory title as evidence of your entitlement to the fixed software version.
NetScreen authorized channel partners have access to NetScreen software versions and may also be a way to obtain the new release.