-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: Juniper NetScreen Advisory 58784 Date: 21 April 2004 Version: 1 Impact: A design flaw in the RFC specification of TCP may allow a blind attacker to successfully close a TCP connection. Affected Products: Juniper NetScreen Firewalls (all versions) NISCC Reference: Vul/236929 http://www.uniras.gov.uk/vuls/2004/236929/tcp.htm Max Risk: Medium Summary: A blind attacker with limited knowledge of a TCP connection may be able to successfully brute force the TCP Sequence number space and thereby cause a connection endpoint or firewall stateful filter to process a spoofed RST packet and close the connection. Details: The TCP Sequence number is one of the mechanisms that TCP uses to prevent a third party from inserting forged packets into the data-stream between two other hosts. While such an attack has always been known to be theoretically possible against TCP, it is was believed that the range of over four billion possible TCP Sequence numbers was large enough to prevent a successful attack. However, recently such an attack has been proven to be feasible in certain situations. Specifically, if two hosts are known to talk to each other on a regular basis and/or for long periods of time over known port(s) then it may be possible for an attacker to brute force the TCP Sequence number space and successfully inject a forged packet into the connection and possibly disrupt communications. Certain connections, such as BGP4, which are long lived between two devices are especially vulnerable. While all TCP connections are potentially vulnerable, NetScreen believes that NetScreen firewalls running BGP4 or with TCP Syn-Check enabled are likely to be vulnerable in practice. Other protocols such as SSH, HTTP and SMTP which usually have shorter connection times are less vulnerable. Recommended Actions: NetScreen firewall customers should do one or more of the following: 1) Configure Anti-Spoof protection as appropriate. 2) Use secure protocols such as ssh, HTTPS, BGP4 w/ MD5 Authentication and IPSec which are more resistant to attack. 3) Limit management to dedicated and/or internal interfaces 4) Upgrade to ScreenOS 5.0r6 which enhances the stateful firewall functionality to protect devices on the network. Patch Availability: NetScreen currently has ScreenOS version 5.0r6 available for Juniper NetScreen firewalls. How to get ScreenOS: Customers with a valid product warranty or a support contract may download the software from the Juniper NetScreen CSO web portal: http://www.juniper.net/support/ For all other customers, including those with expired support contracts, please call your regional Juniper NetScreen TAC center at one of the numbers listed in: http://www.juniper.net/support/nscn_support/tao/contact.html Select option 2 from the telephone menu and be sure to select the correct product from the phone tree. Once connected with an engineer state that you are calling in regards to a Security Advisory and provide the title of this notice as evidence of your entitlement to the specified release. As with any new software installation, NetScreen customers planning to upgrade to any version of ScreenOS should carefully read the release notes and other relevant documentation before beginning any upgrade. If you wish to verify the validity of this Security Advisory, the public PGP key can be accessed at: http://www.juniper.net/support/nscn_support/security/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: NetScreen Security Response Team iD8DBQFAhExPW2Bw6QjqXRcRAvzKAKCb1/M9LNb7Ey4/SLz59EtpGl4zCgCgrhjP e8+qZ75A6DMlumtWKaNiE4U= =9Xk/ -----END PGP SIGNATURE-----