Title: NetScreen Security Alert 110602
Date: 6 November 2002
Description: SSHv1 CRC32 Attacks can lead to denial of service on NetScreen devices
Affected Products: All firewall/VPN appliances and systems
Max Risk: Medium
Summary:
NetScreen has confirmed a customer report that an SSHv1 CRC32 Attack can compromise the ability to manage the NetScreen device and/or force the device to reboot. The attacker cannot gain management access to the device. This potential vulnerability can be exploited to accomplish a denial of service.
NetScreen’s implementation of SSHv1 is known as Secure Command Shell (SCS). This potential vulnerability only exists if the administrator has enabled SCS management, and then only on interface(s) that has SCS enabled. SCS management is not enabled by default on NetScreen devices.
Recommended Actions:
(1) Upgrade to one of the maintenance releases indicated below, or
(2) Disable SCS administration of the NetScreen device.
(3) If SCS is required and you cannot upgrade to one of the maintenance releases below, enable it only on interfaces serving “trusted” hosts. Further, define a “manager-ip” list to restrict management access to trusted hosts if not all hosts served by those interfaces are trusted. Setting a “manager-ip” list restricts SCS access to source IP addresses defined within this list.
Maintenance Releases Addressing This Issue:
NetScreen has posted or intends to post the following maintenance releases on the NetScreen support web site (http://www.juniper.net/support/) by the end of day indicated in the matrix below.
Today (Nov 6):
| NetScreen-5 | NetScreen-5XP | NetScreen-5XT | NetScreen-10 | NetScreen-25/50 | NetScreen-100 | NetScreen-204/208 | NetScreen-500 | NetScreen-1000 | NetScreen-5200-8G | NetScreen-5200-2GE24FE | NetScreen-5400 |
| 2.6.1r10 | 4.0.0r6, 3.0.3r5 | 4.0.0r6 | 3.0.1r5 | 4.0.0r6, 3.0.3r5 | 4.0.0r6, 3.0.3r5 | 4.0.0r6 | 4.0.0r6, 3.0.3r5 | 2.8.1r3, 2.6.0r8 | 4.0.0r6 |
--- |
--- |
November 15:
| NetScreen-5 | NetScreen-5XP | NetScreen-5XT | NetScreen-10 | NetScreen-25/50 | NetScreen-100 | NetScreen-204/208 | NetScreen-500 | NetScreen-1000 | NetScreen-5200-8G | NetScreen-5200-2GE24FE | NetScreen-5400 |
| --- | --- | 3.0.3r3 | 2.6.1r10 | --- | 2.6.1r10 | 3.1.0r10 | 3.1.0r10 | --- | 3.1.0r6 | 3.1.0r4 | 3.1.0r2 |
If you have a release of ScreenOS not addressed by the maintenance releases above, please contact support@netscreen.com