NetScreen Security Advisory 57983

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: NetScreen Advisory 57983 

Version: 3
Original Publication Date: 2 October 2003
Last Updated: 10 July 2006

Impact: Potential Leakage of Sensitive Information via DHCP Offer

Affected Products: NetScreen Firewall/VPN appliances and systems
acting as DHCP Servers running ScreenOS versions up through 4.0.3r3.

Unaffected Products: NetScreen IDP (all versions), NetScreen 
1000 Firewall/VPN system (all versions), NetScreen appliances or 
systems not managed via HTTP or via Telnet.

Max Risk: medium

Summary:

Potentially sensitive information such as encoded administrative 
usernames and passwords may in some circumstances be included 
in DHCP Offer messages generated by a NetScreen Firewall/VPN 
device acting as a DHCP Server and managed via HTTP or Telnet.


Details:

Due to a programming error in ScreenOS, a memory buffer was re-used
without first zeroing out all the contents. This issue only affects 
NetScreen Firewall/VPN devices that are managed via HTTP or Telnet
and are acting as DHCP Servers.

NetScreen Firewall/VPN devices not providing DHCP Server services 
are not susceptible to this problem regardless of how they are managed.

NetScreen Firewall/VPN devices managed exclusively by NetScreen Global
PRO are not susceptible to this problem regardless of whether DHCP 
Server services are provided by the device or not. 

NetScreen Firewall/VPN devices managed via HTTPS (SSL), SSH or serial
console interfaces are not susceptible to this problem regardless
of whether DHCP Server services are provided by the device or not.

DHCP Server services are only available to devices attached to the
NetScreen Firewall/VPN appliance's "Trust" security zone, further 
limiting the scope of exposure of this issue.

When a DHCP request is received by the NetScreen device acting as a 
DHCP Server, a memory buffer formerly holding the contents of the 
last HTTP or Telnet management session is used to generate the DHCP Offer 
message. Not all of this buffer is overwritten by the DHCP Offer 
message, thus leaking some data.

Depending on a variety of factors, the leaked data may contain 
potentially sensitive information. In the worst case, this data can 
include the encoded representation of the administrator's username 
and password.

Recommended Actions:

When available, upgrade to one of the maintenance releases indicated 
below.

Use HTTPS (SSL) or SSH (instead of non-encrypted protocols) or the 
serial console to remotely manage your NetScreen Firewall/VPN 
device.

Disable the DHCP Server service on your NetScreen Firewall/VPN
device.

Please note that NetScreen continues to recommend to customers that
they use HTTPS or SSH to remotely manage their firewalls.  Telnet
and HTTP are known to be insecure protocols and should not be used
in production environments.

Getting Fixed Software for ScreenOS Firewall/VPN products:

NetScreen is offering free fixes for ScreenOS versions 2.6, 3.0,
3.1, and 4.0 to all customers, regardless of service contract status. 
The following security releases which contain the fix for this issue
will be available on the NetScreen support site for all customers. 
Note that not all versions will be made available simultaneously, and 
in general newer ScreenOS versions will be released first.

Platform/Week of     10-06-03        10-13-03        10-20-03       
10-27-03
NS-5                                 2.6.1r12
NS-5XP               4.0.3r4         4.0.1r10        3.0.3r8        
2.6.1r12
NS-5XT               4.0.3r4         4.0-DIAL2r3     3.0.3r8
NS-5GT               4.0-DIAL2r5
NS-10                                3.0.1r7                        
2.6.1r12
NS-25/50             4.0.3r4         3.0.1r7
NS-100                               4.0.0r12        3.0.3r8        
2.6.1r12
NS-204/208           4.0.3r4         4.0.1r10        3.1.0r12
NS-500               4.0.3r4                         3.0.3r8
NS-5200-8G           4.0.3r4
NS-5200-24FE                                         4.0.1-SBRr3
NS-5400                                              4.0.1-SBRr3

Upon the software release, customers with a valid product warranty or a
support contract may download the software from NetScreen's CSO web 
portal: http://www.juniper.net/customers/support/

For all other customers, including those with expired support
contracts, please call your regional NetScreen TAC center at one of the
numbers listed in http://www.juniper.net/support/requesting-support.html

Select option 2 from the telephone menu and be sure to select the 
correct product from the phone tree.  Once connected with an engineer 
state that you are calling in regards to a Security Advisory and provide 
the title of this notice as evidence of your entitlement to the 
specified releases.

As with any new software installation, NetScreen customers planning to 
upgrade to any version of ScreenOS should carefully read the release 
notes and other relevant documentation before beginning any upgrade.

If you wish to verify the validity of this Security Advisory, the public 
PGP key can be accessed at 
http://www.juniper.net/support/security/report_vulnerability.html


Thanks to Felix Lindner, n.runs GmbH for reporting this issue.

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQA/AwUBRLLT/EbyibP0PMctEQKi1gCgtBa96qeWf9wguNOrOJfj9XYEEI0AoMM5
mk5elcDxJgR5mVXlVcbVXoph
=7FFg
-----END PGP SIGNATURE-----