NetScreen Security Alert
NetScreen Reponse to: CERT Advisory CA-2002-03 "Multiple Vulnerabilities
in Many Implementations of the Simple Network Management Protocol (SNMP)"
February 13, 2002
download maintenance releases of ScreenOS
software
In response to CERT Advisory CA-2002-03 "Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP)" NetScreen began reproducing the tests and evaluating our vulnerability to the various problems reported by CERT and OUSPG.
NetScreen's Global PRO and Global PRO Express do not have an SNMP agent or manager and are not sensitive to the issues raised in VU#107186 (CAN-2002-0012), "Multiple vulnerabilities in SNMP v1 trap handling". No change in behavior or operation is required.
NetScreen has tested selected security appliances and ScreenOS software versions for the issues raised in VU#854306 (CAN-2002-0013) "Multiple vulnerabilities in SNMP v1 request handling", and has determined that the SNMP agent within all versions of ScreenOS is sensitive to certain of the tests described by CERT and OUSPG. NetScreen is continuing to test to confirm the full extent of platform and ScreenOS versions affected. These vulnerabilities can in certain circumstances be exploited to produce a denial of service. These vulnerabilities cannot be used to gain management control of the device.
NetScreen is working as quickly as possible to develop and test maintenance releases of ScreenOS software that address these vulnerabilities. All NetScreen security appliances and systems shipped from NetScreen after Wednesday 13 February 2002 have software pre-installed at the factory that addresses these vulnerabilities.
This information has been communicated with CERT/CC.
While these releases are being prepared and tested, there are several steps you can take to minimize exposure to the issues raised in the alert.
By default, the SNMP agent within ScreenOS is not enabled, and if the agent is enabled, it must be specifically enabled on each individual interface. NetScreen recommends that you not enable SNMP, or if you must enable SNMP, you do so only on the interface(s) where it is necessary. If management must be performed from a host reachable via the "Untrust" interface, NetScreen recommends that this management be performed via an IPSec tunnel.
No default community names are provided in ScreenOS, and NetScreen recommends that the well-known community names "public" and "private" not be used. Up to three (3) communities may be defined, each with up to eight hosts in an access list.
You can override the default UDP port numbers used for SNMP management. By default the UDP port on which a NetScreen device will listen for GETs, SETs, etc. is port 161. By default the UDP port on which a NetScreen device will submit traps is port 162. Not all SNMP management applications allow you to change the ports on which they communicate with managed elements, but if possible NetScreen recommends you not use these well-known ports.
You can define an access list for SNMP management. For each defined community name, an access list of up to eight (8) IP addresses may be defined. NetScreen recommends that you define access lists to minimize, but not wholly prevent, attacks from unauthorized hosts.
You should also be aware that the operational state or behavior of a NetScreen device cannot be changed via SNMP. All NetScreen enterprise MIB variables are Read-Only.