NetScreen Security Alert

NetScreen Response to: "NetScreen-25 Unauthorized Reboot Issue"

June 3, 2002

This issue was reported to NetScreen the week of May 20, 2002 and reported to BugTraq@SecurityFocus.com (visible as http://online.securityfocus.com/bid/4842 ) on May 27. Other reporting sites may have been contacted as well.

The reported issue involves the graphical user interface ("WebUI") and submitting excessively long (i.e. several multiples of the stated maximum length) usernames. Bounds checking was not performed, and the system would crash while attempting to process the excessively long username. This resulted in a denial of service for the protected systems, as no forwarding of traffic would occur while the NetScreen device was rebooting. This issue was discovered in NetScreen's internal testing and has been addressed in all versions of ScreenOS released after April 23, 2002. This list includes versions 2.6.1r8 and later, 2.8.0r2 and later, 2.8.1r1 and later, 3.0.1r2 and later, 3.0.2r3 and later, 3.0.3r1 and later. This issue was never present in 3.1.0r1 and later.

The standard security practices of only permitting management access via selected interface(s), defining a list of source IP addresses permitted management access (the manager-ip list), and/or only permitting CLI (Telnet or SSH) management access to the device will all mitigate exposure to this issue. Upgrading to one of the ScreenOS releases mentioned above will prevent this issue.