Friday, September 6th, 2002
NetScreen Security Advisory
NetScreen
Response to: Multiple vendors' Internet Key Exchange (IKE) implementations do
not properly handle IKE response packets
Summary
The IKE Implementation in previous versions of the NetScreen-Remote line of
remote access client software can experience a buffer overflow condition which
may leave a NetScreen-Remote system unresponsive under specific conditions.
Initially reported to CERT on 8/14/02 as VU#287771, this issue effects multiple
vendors IKE implementations.
Based
on internal testing the issue has been shown to exist in version 8.0 or earlier
of NetScreen-Remote when operating in Aggressive mode and appears only during
the Phase I IKE key-exchange. An illegal IKE response packet with large numbers
of payloads or one overly large payload can cause a buffer overflow condition,
causing the VPN Client to consume CPU resource leaving a NetScreen-Remote system
unresponsive.
By default, NetScreen-Remote will only accept IKE Response packets from trusted
VPN Gateways (Main mode); however in Aggressive mode an illegal packet can be
sent before NetScreen-Remote authenticates the VPN Gateway. An attacker, acting
as the VPN Gateway could respond to solicited IKE requests from NetScreen-Remote
clients operating in Aggressive mode to cause this buffer overflow condition.
This issue has been addressed in version 8.1 of both NetScreen-Remote VPN Client and NetScreen-Remote Security client which is now available to all affected customers.
This
notice is being released in order to enable all affected NetScreen customers
to take immediate steps to address this issue. All affected customers should
read the details of this advisory and follow the suggestions for correction
as described in the Work Around section of this advisory (below).
Who
is Affected
If you or your customers are using NetScreen-Remote versions 8.0 or earlier
in Aggressive Mode you may be vulnerable to this issue.
No other NetScreen products are currently known to be effected by this vulnerability. NetScreen's ScreenOS (All versions) IKE Implementation is not vulnerable to the overflow condition described above.
NetScreen's Global-PRO line of security management products does not contain IPSec or IKE Implementation and is also unaffected. Other NetScreen products on the same network as a potentially affected NetScreen-Remote are not affected by this condition.
Impact
The severity of the impact will vary based upon the device configuration and
environment. Although these conditions are rare in most networks, all affected
NetScreen-Remote users (see "Who is Affected") are advised to treat
this issue as if it could affect their network and to take action to address
this issue.
The vulnerability could be exploited on specific machines running NetScreen-Remote
software in Aggressive mode to leave the system unresponsive. It should be noted
that this would not allow an attacker to gain network access and there is no
impact to the confidentiality and integrity of the data.
Fixed
Software Versions
The described vulnerability is identified as bug ID 287771. This vulnerability
is addressed in version 8.1 of both NetScreen-Remote VPN Client and NetScreen-Remote
Security Client which is now available for download on the NetScreen Technical
Support website.
Getting
Patched Software
If you have registered your product with NetScreen and have a valid service
contract, you can simply download the new software from: http://www.juniper.net/support/nscn_support/tao/
You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password.
If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software.
NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. pacific time Monday through Friday excluding weekends and observed holidays.
You
may contact them via email at: support@netscreen.com
or via phone at:408.730.6000 or 800.638.8296
Please reference this Advisory title as evidence of your entitlement to the
fixed software version.
NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release, when available.
Work Around
Upgrade
to NetScreen-Remote 8.1 VPN or Security Client which resolves this issue completely.
Block
or restrict access to the IKE Service (UDP/500) to trusted VPN Gateways with
the NetScreen-Remote Security Client's personal firewall software, this effectively
blocks IKE traffic from unknown or untrusted hosts. Use Main-Mode IKE wherever
possible, avoid use of Aggressive mode.
Manual-Key IPSec, which does not use IKE, will not experience this condition
and may also be used as a work-around.
Exploitation,
Announcement and Response
NetScreen has no reports of malicious exploitation of this vulnerability. However,
the nature of this issue is such that it may, in extreme cases be used to create
denial of service attacks against the NetScreen-Remote client software. It should
be noted that this would not allow an attacker to gain network access and there
is no impact to the confidentiality and integrity of the data.
The vulnerability could be exploited to crash specific machines running NetScreen-Remote
software in Aggressive mode.
In response to CERT Vulnerability Note VU#287771 (<http://www.kb.cert.org/vuls/id/287771>)
Distribution
This notice will be entered into NetScreen's Support Knowledge Base and can
be viewed by registered customers on our support web site at:
<http://www.juniper.net/support/>
In
addition to Web posting, this advisory is being sent to the following email
lists:
* Identified affected customers
* var-news@netscreen.com
* Various internal NetScreen mail lists
=======================================================================
This notice is copyright 2002 by NetScreen Technologies, Inc. This notice may
be redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including all
date and version information.
=======================================================================