NetScreen Advisory 57739

Title: NetScreen Advisory 57739

Date: 30 July 2003

Impact: Potential Denial of Service of Security Device

Affected Products: NetScreen Firewall/VPN products running ScreenOS 4.0.1r1 through 4.0.1r6 and 4.0.3r1 and 4.0.3r2

Unaffected Products: NetScreen IDP, NetScreen Firewall/VPN products running ScreenOS 3 and below, 4.0.0, 4.0.1r7 and higher, 4.0.2, 4.0.3r3 and higher

Max Risk: Medium

Summary:

A malicious user connecting to a NetScreen Security Device with a certain TCP option set can cause it to reboot, causing a temporary service outage.

Details:

Due to a bug in ScreenOS, a non-privileged user who attempts to connect to a NetScreen Security Device management IP from the range of addresses permitted by the manager-ip feature with a particular TCP window option setting can cause the system to crash and reboot. This issue affects Telnet and WebUI (HTTP/HTTPS) management, as well as WebAuth authentication service (HTTP/HTTPS).

SSH management connections to the NetScreen device are not susceptible, nor are the classic policy-driven firewall authentication (ProxyAuth) connections. Additionally, traffic passing through the device does not crash the device, only particular TCP sessions terminating on the device itself.

Recommended Actions:

Restrict administrative access to known administrator hosts and/or subnets with the 'set admin manager-ip ...' feature.

Activate ScreenOS' anti-spoofing feature to prevent spoofed manager IP's from non-manager subnets.

Turn off management on all interfaces not facing the IT management network (NOC/SOC/etc).

Use ProxyAuth instead of WebAuth for policy authentication.

Use SSH instead of Telnet to remotely manage your NetScreen firewall.

Upgrade to maintenance release r7 or later of ScreenOS 4.0.1, or maintenance release r3 or later of ScreenOS 4.0.3

How to Get ScreenOS:

If you have registered your product with NetScreen and have a valid service contract, you can simply download the software from:

http://www.netscreen.com/services/download_soft/

Select your NetScreen device from the "Select Your Product" pull down menu. You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password.

If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software. NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. pacific time Monday through Friday excluding weekends and observed holidays. You may contact them via email at: customerservice@netscreen.com or via phone at: 408.730.6000 or 800.638.8296

Please reference this Advisory title as evidence of your entitlement to the fixed software version.

NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release.