NetScreen Global PRO Policy Manager May Configure VPNs With a Weaker Cryptographic Algorithm
|
|
SecurityTracker Alert ID: 1006590 |
|
SecurityTracker URL: http://securitytracker.com/id/1006590
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 17 2003
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.0.0r1 through 4.0.0r5 and version 4.1.0r1
|
Description:
A vulnerability was reported in the NetScreen Global PRO Policy Manager. Certain IPSec VPNs that are configured with the manager may use a weaker cryptographic algorithm than specified.
NetScreen reported that there is an error that in the manager when creating definitions for IPSec phase 1 and phase 2 proposals using the AES cryptographic algorithm. Instead of using the AES128 algorith, the managed NetScreen firewall/VPN devices will use the DES algorithm.
If you use a VPN on a NetScreen device that was configured by Global PRO using the following predefined proposals, you are vulnerable: "g2-aes128-sha", "g2-aes128-md5", "esp-aes128-sha", and "esp-aes128-md5".
|
Impact:
Certain VPNs configured by the manager will implement a weaker cryptographic algorithm than specified.
|
Solution:
The vendor plans to issue a fixed version (4.1.1) on May 15, 2003. Upgrading to the fixed version will push out corrected configurations for existing VPNs.
Until the fix is available, NetScreen recommends the following [quoted for accuracy]:
"(1) Create custom proposals for IPSec phase 1 and phase 2 using AES128 as the cryptographic algorithm.
(2) Update all affected VPN configurations to use these custom proposals.
(3) As soon as practical, upgrade your Global PRO to the maintenance release identified below or a later version."
Registered users can obtain Global PRO at the following URL:
http://www.netscreen.com/support/updates.html
|
Vendor URL: www.netscreen.com/support/alerts/04_16_03_57226.html (Links to External Site)
|
Cause:
State error
|
Underlying OS:
UNIX (Solaris - SunOS)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 16 Apr 2003 20:39:44 -0400
Subject: NetScreen Security Advisory 57226
|
http://www.netscreen.com/support/alerts/04_16_03_57226.html
NetScreen Security Advisory 57226
Max Risk: Medium
NetScreen reported that a vulnerability in Global PRO Policy Manager may result in weaker
IPSec tunnel security than intended.
Global PRO Policy Manager versions 4.0.0r1 through 4.0.0r5 and version 4.1.0r1 are affected.
According to the advisory, there is an error that in the manager when creating definitions
for IPSec phase 1 and phase 2 proposals using the AES cryptographic algorithm. Instead of
using the AES128 algorith, the managed NetScreen firewall/VPN devices will use the DES
algorithm. If you use a VPN on a NetScreen device that was configured by Global PRO using
the following predefined proposals, you are vulnerable: "g2-aes128-sha", "g2-aes128-md5",
"esp-aes128-sha", and "esp-aes128-md5".
The vendor plans to issue a fixed version (4.1.1) on May 15, 2003. Upgrading to the fixed
version will push out corrected configurations for existing VPNs.
Until the fix is available, NetScreen recommends the following [quoted for accuracy]:
"(1) Create custom proposals for IPSec phase 1 and phase 2 using AES128 as the
cryptographic algorithm.
(2) Update all affected VPN configurations to use these custom proposals.
(3) As soon as practical, upgrade your Global PRO to the maintenance release identified
below or a later version."
Registered users can obtain Global PRO at the following URL:
http://www.netscreen.com/support/updates.html
|
|
