[NEWS] NetScreen Response to ScreenOS Port Scan DoS Vulnerability
From: support@securiteam.comDate: 02/06/02
- Previous message: support@securiteam.com: "[NEWS] Vulnerability in Lucent VitalSuite Software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 6 Feb 2002 14:57:31 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NetScreen Response to ScreenOS Port Scan DoS Vulnerability
------------------------------------------------------------------------
SUMMARY
As we reported in our previous article:
<http://www.securiteam.com/securitynews/5EP010K6AE.html> NetScreen
ScreenOS Vulnerable to Trust Interface DoS Attack, utilizing a port
scanner from inside the internal trusted network seems to cause the
product to no longer serve any other legitimate requests. The following is
a vendor response to the issue.
DETAILS
The reported issue involves the initiation of a Port Scan against a host
reachable via the "Untrust" interface from or by a user attached to the
"Trust" interface of a NetScreen device, and potentially consuming all
available sessions resulting in a denial of service attack against the
"Trusted" network.
If a port scan were initiated against a host that responded to the scans
(with either ICMP unreachable or RST), the NetScreen device would
immediately close each of the sessions established during the port scan,
making them available for reuse. ScreenOS has a default session inactivity
timeout of 30 minutes. Both pre-defined and custom services can be
adjusted in timeout value from 1 minute to 2 days. After waiting the
default 30 minutes (or the length of time the administrator adjusted the
time interval to), port scans to the unresponsive host will time out and
the session entries in the NetScreen device will be cleared for reuse.
This problem can occur more quickly on NetScreen devices that have smaller
session tables. For example, the NetScreen-5XP has a maximum of 2,048
sessions, and the NetScreen-1000 has a maximum of 500,000 sessions.
Obviously, the session table on a NetScreen-5XP will be consumed faster
than on a NetScreen-1000.
NetScreen released new features that addressed this issue in several
manners beginning in September 2001. One feature called Source IP Session
Thresholding can be used to mitigate the likelihood of this issue arising
in the first place. This feature was introduced as a CLI command in
ScreenOS version 2.6.1r2, and has been incorporated into the WebUI
starting with ScreenOS version 3.0.
The command:
set firewall session-threshold source-ip-based [num]
Limits any one source IP from the trusted side to [num] number of
concurrent sessions. Since the NetScreen-5XP can support 2,048 concurrent
sessions, NetScreen recommends the higher of the following two numbers as
a starting point: 100, or 2048/n where "n" is the number of systems on
the "Trust" side network. Administrators are advised to check their flow
counters to see if that's an acceptable number, and modify accordingly.
Next, releases of ScreenOS 3.0.0 and later allow the administrator to
forcibly clear sessions based on characteristics of those sessions such as
source IP address, destination IP address, source port, destination port,
source MAC address, and/or destination MAC address.
For example, the command
clear session dst-ip <a.b.c.d>
Will clear all active sessions to destination IP address a.b.c.d from the
NetScreen active session table. This command can be used to recover from a
wild port scan without waiting for all sessions to age out or without
resetting the NetScreen device.
Lastly, ScreenOS 3.1.0 and later allow the administrator to enable
firewall protections, including port scan protections, on any interface.
NetScreen recommends all customers to upgrade to the latest version of
ScreenOS supported by their hardware and then to enable one or all of the
above features to minimize the likelihood of being affected by this issue.
The latest currently available versions of ScreenOS at the time of this
writing for each NetScreen device are:
* Hardware ScreenOS release
* NetScreen-5 2.6.1r6
* NetScreen-5XP 3.0.1r1
* NetScreen-10 3.0.1r1
* NetScreen-25 3.0.0r1
* NetScreen-50 3.0.0r1
* NetScreen-100 3.0.1r1
* NetScreen-204 3.1.0r1
* NetScreen-208 3.1.0r1
* NetScreen-500 3.1.0r1
* NetScreen-1000 2.8.0r1
ADDITIONAL INFORMATION
The information has been provided by <mailto:mkouri@netscreen.com> Mike
Kouri.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Vulnerability in Lucent VitalSuite Software"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
