SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Device (Firewall)  >   ScreenOS (NetScreen) Vendors:   NetScreen
(Vendor Clarifies) Re: NetScreen Firewalls Can Be Made Unresponsive By a Remote User on the Trusted Interface Side Conducting Port Scans Through the Firewall
SecurityTracker Alert ID:  1003423
SecurityTracker URL:  http://securitytracker.com/id/1003423
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 1 2002
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.6.1
Description:   A denial of service vulnerability was reported in NetScreen firewalls (Screen OS). A remote user on the trusted interface can cause the interface to hang.

It is reported that a remote user on the trusted (internal) interface can conduct a port scan on an external IP address to consume available sessions on the firewall. This can reportedly cause the entire trusted interface to become unresponsive.

Impact:   A remote user on the internal (trusted) interface can cause the interface to become unresponsive.
Solution:   The vendor reports that this vulnerability was fixed in ScreenOS 2.6.1 back in September of 2001 in response to the Code Red attacks. The vendor provides the following information:

"The feature is called Source IP Session Thresholding. This feature was implemented as a CLI command in 2.6.1r2, and has been incorporated into the WebUI starting with ScreenOS 3.1. ScreenOS 3.1 is currently available for the NS-204, NS-208, and NS-500.

The command:

set firewall session-threshold source-ip-based [num]

limits any one source IP from the trusted side to [num] number of concurrent sessions. Since the 5XP can support 2048 concurrent sessions, it would make sense to set the limit lower than that. I would recommend the higher of the following two numbers as a starting point: 100, or 2048/n where n is the number of systems on your private side network. You might want to check your flow counters to see if that's an acceptable number, and modify accordingly.

As to how long these sessions remain active is user configurable. ScreenOS has a default setting for session inactivity timeout of 30 minutes. Both pre-defined and custom services can be adjusted in timeout value from 1 minute to 2 days. If you would have waited 30 minutes, your portscans to an unresponsive machine would have timed out and the sessions cleared for reuse. If you had scanned a machine that responded to the scans (with either ICMP unreachable or RST), the session would have closed immediately."

Vendor URL:  www.netscreen.com/ (Links to External Site)
Cause:   Resource error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Feb 1 2002 NetScreen Firewalls Can Be Made Unresponsive By a Remote User on the Trusted Interface Side Conducting Port Scans Through the Firewall



 Source Message Contents

Date:  Fri, 1 Feb 2002 10:27:11 -0800
Subject:  RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS


Chris,

You were misinformed about the time for a fix.  Your device was also more
than likely misconfigured.  This issue has already been addressed, and
preventative measures were added in ScreenOS 2.6.1 back in September of 2001
in response to trouble people were having with the Code Red series of
Internet worms.  The feature is called Source IP Session Thresholding.  This
feature was implemented as a CLI command in 2.6.1r2, and has been
incorporated into the WebUI starting with ScreenOS 3.1.  ScreenOS 3.1 is
currently available for the NS-204, NS-208, and NS-500.

The command:

set firewall session-threshold source-ip-based [num]

limits any one source IP from the trusted side to [num] number of concurrent
sessions.  Since the 5XP can support 2048 concurrent sessions, it would make
sense to set the limit lower than that.  I would recommend the higher of the
following two numbers as a starting point:  100, or 2048/n where n is the
number of systems on your private side network.  You might want to check
your flow counters to see if that's an acceptable number, and modify
accordingly.

As to how long these sessions remain active is user configurable.  ScreenOS
has a default setting for session inactivity timeout of 30 minutes.  Both
pre-defined and custom services can be adjusted in timeout value from 1
minute to 2 days.  If you would have waited 30 minutes, your portscans to an
unresponsive machine would have timed out and the sessions cleared for
reuse.  If you had scanned a machine that responded to the scans (with
either ICMP unreachable or RST), the session would have closed immediately.

I'm curious as to from who you received this incorrect and outdated
information, so we can correct our own internal information distribution
system.  A NetScreen Whitepaper was also written (by me) that covers this
new feature and it's use, as well as information on the worms from last
year.  It's somewhat dated now, and I didn't feel like spamming the bugtraq
alias with it as well, but if you'd like a copy, please drop me a note and
I'll forward it to you.

If you have any further questions on this matter, please feel free to ask. 

Dave Killion 
Senior Support Engineer 
NetScreen Certified Security Associate (NCSA) 
NetScreen Technical Assistance Center 
support@netscreen.com 
(800)638-8296 
Please visit our Enhanced Services support offerings at 
http://www.netscreen.com/support/enhanced_services.html 
 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC