[NEWS] NetScreen ScreenOS Vulnerable to Trust Interface DoS Attack
From: support@securiteam.comDate: 02/03/02
- Previous message: support@securiteam.com: "[TOOL] NBTEnum, NetBIOS User Enumartion Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 3 Feb 2002 00:20:12 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NetScreen ScreenOS Vulnerable to Trust Interface DoS Attack
------------------------------------------------------------------------
SUMMARY
<http://www.netscreen.com/> NetScreen Technologies are the manufacturers
of some of the industry's highest quality VPN and firewall equipment.
Utilizing a port scanner from inside the internal trusted network seems to
cause the product to no longer serve any other legitmate requests.
DETAILS
Vulnerable systems:
ScreenOS version 2.6
Immune systems:
ScreenOS version 2.6.1
Someone within the trusted side of the network can attempt a portscan on
an external IP address. When the scan runs, it appears to consume all of
the available sessions. This, in turn, causes a DoS on the entire trusted
interface. The only way you can get your device to recover quickly is to
perform a reset. A recovery might be possible without a reset. This
exploit may or may not work on your device.
Workaround/Solution:
Upgrade to the latest ScreenOS, then utilize the "Source IP Session
Thresholding" feature by issuing the command:
set firewall session-threshold source-ip-based [num]
This limits any one source IP from the trusted side to [num] number of
concurrent sessions. Since the 5XP can support 2048 concurrent sessions,
it would make sense to set the limit lower than that. We would recommend
the higher of the following two numbers as a starting point: 100, or
2048/n where n is the number of systems on your private side network. You
might want to check your flow counters to see if that is an acceptable
number, and modify accordingly.
As to how long these sessions remain active is user configurable.
ScreenOS has a default setting for session inactivity timeout of 30
minutes. Both pre-defined and custom services can be adjusted in timeout
value from 1 minute to 2 days. If you would have waited 30 minutes, your
portscans to an unresponsive machine would have timed out and the sessions
cleared for reuse. If you had scanned a machine that responded to the
scans (with either ICMP unreachable or RST), the session would have closed
immediately.
ADDITIONAL INFORMATION
The information has been provided by <mailto:clathem@skyhawke.com> Chris
Lathem and <mailto:Dkillion@netscreen.com> Dave Killion.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] NBTEnum, NetBIOS User Enumartion Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
