-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: NetScreen Advisory 58466 Date: 26 March 2004 Version: 2 Impact: Potential OpenSSL denial of service in the NetScreen Instant Virtual Extranet (IVE) and Intrusion Detection and Prevention (IDP) platforms. Affected Products: NetScreen IVE (all versions) NetScreen IDP 2.0 - 2.1r6 Unaffected Products: NetScreen Firewalls (all versions) NetScreen-Security Manager (all versions) NetScreen-Global Pro (all versions) NetScreen-Global ProExpress (all versions) CVE References: CAN-2004-0079, CAN-2004-0081 NISCC Reference: 224012/OpenSSL Max Risk: Medium Summary: Three vulnerabilities in various versions of OpenSSL which lead to a denial of service have been discovered through testing done by the OpenSSL Project. Based on the information provided by the NISCC, NetScreen has determined that only two of the issues affects NetScreen products. Details: Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function (CAN-2004-0079). A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. This issue affects the NetScreen IDP platform. All other NetScreen products are immune to this issue. Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered an infinite loop (CAN-2004-0081) which a remote attacker may be able to exploit causing the application to become unresponsive. This issue affects the NetScreen IVE and IDP platforms. All other NetScreen products are immune to this issue. Patch Availability: NetScreen currently has patches available for the NetScreen IVE and IDP platforms. Recommended Actions for IVE Customers: Install the appropriate patch corresponding to your currently installed release. Getting Fixed Software for the NetScreen IVE platform: NetScreen is offering free fixes for all customers, regardless of service contract status. Customers may download an update which contains the fix for this issue by going to https://support.neoteris.com and entering in the build number of the IVE OS currently installed. You will then be directed to the appropriate IVE OS release. Customers with further questions regarding the IVE patches may contact the NetScreen IVE Technical Assistance Center at 408-543-2991 (Option 2) or send email to help@support.neoteris.com. Recommended Actions for IDP Customers: Install the updated OpenSSL RPM package which can be downloaded from the NetScreen website (instructions provided below). Getting Fixed Software for the NetScreen IDP platform: NetScreen is offering free fixes for all customers, regardless of service contract status. 1) Customers should download the updated OpenSSL RPM which contains the fix for this issue by going to: http://www.netscreen.com/cso You will be prompted for your User ID and Password. If you do not already have a CSO account, enter the whole or part of your company name as your User ID and enter your registered NetScreen IDP serial number as the password. The updated OpenSSL RPM is contained in the following file located under the "IDP Operating System Updates" section: Filename: MD5 Hash: openssl-0.9.6b-35.7.idp.1.i386.rpm adc1d3e2ceb49d37474756fcd346c14c 2) Copy the RPM package to the /tmp directory on the IDP appliance. 3) Login to the IDP appliance and su to the root account. 4) Update the RPM package by typing the following as the root user: rpm -Uvh /tmp/openssl-0.9.6b-35.7.idp.1.i386.rpm 5) Restart the Appliance Configuration Manager (ACM) by typing the following as the root user: service httpd restart If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software. NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. Pacific time Monday through Friday excluding weekends and observed holidays. You may contact them via email at: support@netscreen.com or via phone at: 877-638-7273 or 408-543-2100 Option #1 Please reference this Advisory title as evidence of your entitlement to the fixed software version. NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release. If you wish to verify the validity of this Security Advisory, the public PGP key can be accessed at: http://www.netscreen.com/services/security/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: NetScreen Security Response Team iD8DBQFAZKUqW2Bw6QjqXRcRAj71AJ0Tz+g5EopLgUWagPpFkIg50lYMlwCff4zm HnqVWDQUJHy0lCqP4e1uQsw= =2Ttp -----END PGP SIGNATURE-----