NetScreen Predictable TCP Sequence Numbers Let Remote Users Bypass Security Rules
|
|
SecurityTracker Alert ID: 1005709 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 26 2002
|
Impact: Host/resource access via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.7, 2.6, 2.8, 3.0, 3.1, 4.0
|
Description: A vulnerability was reported in NetScreen's firewall/VPN appliances due to the generation of predicatable TCP Initial Sequence Numbers
(ISNs). A remote user may be able to hijack protected sessions or bypass the firewall's access control policies.
It is reported that a remote user can use IP spoofing and can attempt to predict TCP ISNs generated by the appliance to bypass the
device's IP-based security policies.
According to the vendor, the flaw is exploitable on the following connections:
1) TCP
connections to and from the NetScreen device itself
2) TCP connections that match policies requiring authentication
3) TCP connections
forwarded through the appliance between two other hosts when syn-flood protection is enabled and the appliance is performing SYN
proxying for the protected hosts.
According to the report, the ISN algorithms in ScreenOS 2.6 and earlier are more predictable.
However, versions all versions prior to 4.0.1 are vulnerable.
|
Impact: A remote user may be able to bypass the device's access control rules for certain types of connections.
|
Solution: The vendor has issued a fixed version (4.0.1). NetScreen indicates that you can install one of the maintenance releases listed in
their advisory (http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html) or upgrade to ScreenOS 4.0.1.
Registered
users with a valid service contract can download the software from:
http://www.netscreen.com/support/updates.html
|
Vendor URL: www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html (Links to External Site)
|
Cause: State error
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Nov 2002 19:00:22 -0500
Subject: NetScreen Security Alert 51897 - Predictable Sequence Numbers
|
http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html
NetScreen issued Security Alert 51897 warning of a weakness in their firewall/VPN
appliances due to predicatable TCP Initial Sequence Numbers (ISNs).
Versions: ScreenOS 1.7, 2.6, 2.8, 3.0, 3.1, 4.0
It is reported that a remote user can use IP spoofing and can attempt to predict TCP ISNs
generated by the appliance to bypass the device's IP-based security policies.
According to the vendor, the flaw is exploitable on the following connections:
1) TCP connections to and from the NetScreen device itself
2) TCP connections that match policies requiring authentication
3) TCP connections forwarded through the appliance between two other hosts when syn-flood
protection is enabled and the appliance is performing SYN proxying for the protected
hosts.
According to the report, the ISN algorithms in ScreenOS 2.6 and earlier are most
predictable. However, versions all versions prior to 4.0.1 are vulnerable.
NetScreen indicates that you can install one of the maintenance releases listed in their
advisory
(http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html) or
upgrade to ScreenOS 4.0.1.
Registered users with a valid service contract can download the software from:
http://www.netscreen.com/support/updates.html
|
|
