[NEWS] Potential H.323 Denial of Service in NetScreen

From: support@securiteam.com
Date: 11/26/02

  • Next message: support@securiteam.com: "[NEWS] 'Malicious-URL' Feature may be Circumvented Using IP Fragmentation in NetScreen" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 27 Nov 2002 00:56:04 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Potential H.323 Denial of Service in NetScreen
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability has been reported and confirmed regarding the processing
    of H.323 control sessions that can lead to the consumption of all firewall
    session table entries, resulting in denial of service to the protected
    network resources.

    This vulnerability only exists in ScreenOS versions 2.8 and later.

    Half-open sessions were not reclaimed at normal garbage collection
    intervals, but persisted in the session table until the defined H.323
    session timeout interval, typically 36 hours.

    This vulnerability only affects configuration which explicitly permits the
    forwarding of traffic identified using the predefined services named H.323
    or NetMeeting. The attack must match the permitted traffic flow,
    constraining the attacker to security zones permitted to initiate H.323
    traffic. Since the source IP can easily be spoofed, matching the exact
    attacker within the permitted security zone can be difficult to
    impossible.

    DETAILS

    Vulnerable systems:
     * ScreenOS 2.8
     * ScreenOS 3.0
     * ScreenOS 3.1
     * ScreenOS 4.0

    Immune systems:
     * ScreenOS 4.0.1

    Recommended Actions:
    Any or all of

    (1) Install one of the maintenance releases indicated below.

    (2) Upgrade to ScreenOS 4.0.1

    (3) Block H.323 traffic. If this is not feasible, carefully re-examine
    your defined security policies using H.323 to minimize exposure to
    unanticipated sessions.

    (4) Adjust the H.323 session timeout to the lowest feasible value for your
    environment and tolerances.

    Release Schedule:
    For a complete release schedule, please visit:
     
    <http://www.netscreen.com/support/alerts/Potential_H_323_Denial_of_Service.html> http://www.netscreen.com/support/alerts/Potential_H_323_Denial_of_Service.html

    How to Get ScreenOS:
    If you have registered your product with NetScreen and have a valid
    service contract, you can simply download the software from:
    <http://www.netscreen.com/support/updates.html>
    http://www.netscreen.com/support/updates.html

    You will be prompted for your User ID and Password. Enter the whole or
    part of your company name as your User ID and enter your registered
    NetScreen device serial number as the password.

    If you have not yet registered your product with NetScreen, you will need
    to contact NetScreen Technical Support for special instructions on how to
    obtain the fixed software. NetScreen Technical Support is available 24
    hours a day, 365 days a year. Contact information can be located at
    <http://www.netscreen.com/support/technical_assistance.html>
    http://www.netscreen.com/support/technical_assistance.html

    Please reference this Advisory title as evidence of your entitlement to
    the fixed software version.

    NetScreen authorized Value Added Resellers have access to NetScreen
    software versions and may also be a channel through which to obtain the
    new release.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:security-alert@netscreen.com> NetScreen Security Response Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages