NetScreen Response to: IP Spoof protection failure
Monday, January 21, 2002
Summary
An optional feature in ScreenOS is IP Spoof protection, which is designed to
examine the source IP address in all frames received on an interface and if
it is determined that the source IP address for these frames matches networks
attached to other interfaces, to discard those frames
A potential issue has been discovered (bug ID 14089) in NetScreen's test labs involving all releases of ScreenOS software versions 2.6.1 and 3.0.0 where the IP Spoof protection may not discard all of these frames. Standard firewall policies are still applied to these frames. To date no malicious exploitation of this issue has been reported to NetScreen.
A software patch has been created to address this issue and is available to all affected customers. NetScreen strongly encourages all affected users to update their ScreenOS immediately.
This
notice is being released in order to enable all affected NetScreen
customers to take immediate steps to address this issue. All affected customers
should read the details of this advisory and follow the suggestions for correction
as described in the FIXES section of this advisory (below).
Who is Affected
If you or your customers are using a NetScreen security product running version
2.6.1 or 3.0.0 of ScreenOS and have enabled the optional IP Spoof protection
then you may be affected. If you or your customers have any NetScreen hardware
products not shown here or are running a different version of ScreenOS then
you are NOT affected.
Affected
Devices Affected ScreenOS versions
----------------- ---------------------------------------
NetScreen-5 :ScreenOS 2.6.1r1 to 2.6.1r4, inclusive.
NetScreen-5XP
:ScreenOS 2.6.1r1 to 2.6.1r4, inclusive.
ScreenOS 3.0.0r1 to 3.0.0r3, inclusive.
NetScreen-10
:ScreenOS 2.6.1r1 to 2.6.1r4, inclusive.
ScreenOS 3.0.0r1 to 3.0.0r3, inclusive.
NetScreen-25 :ScreenOS 3.0.0r1.
NetScreen-50
:ScreenOS 3.0.0r1.
NetScreen-100 :ScreenOS 2.6.1r1 to 2.6.1r4, inclusive.
ScreenOS 3.0.0r1 to 3.0.0r3, inclusive.
NetScreen-500
:ScreenOS 2.6.1r1 to 2.6.1r4, inclusive.
ScreenOS 2.7.1r1 and 2.7.1r2.
ScreenOS 3.0.0r1 to 3.0.0r3, inclusive.
If you are unsure what version of the appliance software you are running, log in to the device's Command Line Interface (CLI) using either Telnet or the Serial Console Interface. At the prompt, issue the command "get system". The second item displayed on the first line is "SW Version/Checksum:". The number immediately following this colon, before the "/" is the running version.
Impact
The severity of the impact will vary based upon the device configuration and
environment. Although these conditions are rare in most networks, all affected
devices and configurations (see "Who is Affected") are advised to treat this
issue as if it could affect their network and to take action immediately to
address this issue.
The
bug could be exploited to deny service to protected network devices and hosts.
It should be noted that this would not allow an attacker to gain network access.
Fixed
Software Versions
The bug associated with this issue is ID 14089. This bug has been addressed
in release version
2.6.1r5 on the NetScreen-5/5xp/10/100/500
2.7.1r3 on the NetScreen-500
3.0.0r4 on the NetScreen-5xp/10/100/500
3.0.0r2 on the NetScreen-25/50
Customers with a non-release version of ScreenOS software based on ScreenOS versions 2.6.1, 2.7.1 or 3.0.0 will want to check with their Technical Account Manager or our Technical Support department to verify whether your version is affected.
Getting
Patched Software
If you have registered your product with NetScreen and have a valid service
contract, you can simply download the software from:
http://www.juniper.net/support/nscn_support/tao/
You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password.
If
you have not yet registered your product with NetScreen, you will need to contact
NetScreen Technical Support for special instructions on how to obtain the fixed
software. NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. pacific
time Monday through Friday excluding weekends and observed holidays. You may
contact them via email at:
support@netscreen.com
or via phone at:
408.730.6000 or 800.638.8296
Please reference this Advisory title as evidence of your entitlement to the fixed software version.
NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release.
Work
Arounds
None.
Exploitation, Announcement and Response
NetScreen has no reports of malicious exploitation of this bug. However, the
nature of this issue is such that it may be used to create denial of service
attacks.
NetScreen knows of no public announcements or discussion of this bug before the date of this notice.
Distribution
This notice will be entered into NetScreen's Support Knowledge Base and can
be viewed by registered customers on our support web site at:
http://www.juniper.net/support/nscn_support/
In
addition to Web posting, this advisory is being sent to the following email
lists:
* Identified affected customers
* var-news@netscreen.com
* Various internal NetScreen mail lists
=======================================================================
This notice is copyright 2002 by NetScreen Technologies, Inc. This notice may
be redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including all
date and version information.
=======================================================================