Title: NetScreen Security Alert 51929

Date: 25 November 2002

Description: NetScreen Response to 'Malicious-URL': Feature may be Circumvented Using IP Fragmentation

Affected Products: All firewall/VPN appliances and systems

Affected Software Releases: ScreenOS 2.7.1, 2.8, 3.0, 3.1, 4.0

Max Risk: Low

Summary:

In response to the Code-Red events in the winter of 2001/2002 NetScreen added a feature to it's firewalls that can be used to block access to given URLs on external web servers. This feature was designed to assist network administrators quickly restrict access to web content until a more thorough solution could be implemented.

A vulnerability has been discovered in the implementation of this 'Malicious-URL' blocking feature that could allow an http client to bypass the this screening and view a protected URL. By carefully fragmenting the URL in the http header into many IP fragments, the feature could be circumvented.

Recommended Actions:

Any or all of

(1) Upgrade to ScreenOS 4.0.1 or later

(2) Minimize the time that Malicious-URLs are defined on the firewall

(3) Install all vendor patches on at-risk servers when released