Authentication Vulnerability in NetScreen ScreenOS
From: HedgeHog (hedgehog703_at_comcast.net)
Date: 06/25/03
- Previous message: Marc Schoenefeld: "Privilege escalation applet, Java Media Framework"
- Next in thread: Brian Soby: "RE: Authentication Vulnerability in NetScreen ScreenOS"
- Maybe reply: Brian Soby: "RE: Authentication Vulnerability in NetScreen ScreenOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Jun 2003 21:14:40 -0700 To: bugtraq@securityfocus.com
Authentication Vulnerability in NetScreen ScreenOS
Versions affected: ScreenOS 4.0.2r2.0 - possibly all versions
Summary of problem: NetScreen firewalls have a feature that if
enabled, requires users to provide a username and password to access
resources and services behind a firewall, such as http (80/tcp).
However, after a user is authenticated, anyone else may also access
the protected services if they orginate from the same source IP
address (NAT'd network). The authentication mechanism is designed to
authenticate based on source-ip address only. This can expose
protected systems to unauthorized access if it is enabled.
After searching through the NetScreen documentation, I was unable to
find any warning about this. NetScreen does not inform the firewall
administrator of this design.
Thus, we contacted NetScreen. Below is the request to and the reply
from NetScreen Support.
I am posting this so that anyone that uses this sort of authentication
on the Netscreen is aware of this problem.
REQUEST FOR ASSISTANCE FROM NETSCREEN:
--------------------------------------
Submitted 05/23/2003
I am running ScreenOS 4.0.2r2.0. I use the feature for user
authentication via local DB. I have discovered that if a valid user
connects to my network, and is properly authenticated by the
netscreen, and if that user is originating from a NATed network, then
my netscreen will proceed to allow anybody else coming from that same
NATed source network.
This exposes my systems to attack and possible compromise from others
on that NATed network who might happen to attempt connections to my
systems (covered in the associated policies).
Maybe this has been corrected in more recent versions of ScreenOS. If
so, then I have difficulties, since my 90 day access to software
upgrades has lapsed.
Maybe there is some additional configuration setting that I must use
in order to address this.
Your help would be appreciated. Thanks.
RESPONSE FROM NETSCREEN:
------------------------
Recieved 05/23/2003
Dear Valued Customer,
Thank you for contacting us at the NetScreen Technical Assistance
Center.
The current authentication mechanism is designed to authenticate based
on source-ip address only. So if multiple users access NetScreen from
the same source-ip, then once the NetScreen authenticates the first
user, an Authentication session is established and the NetScreen will
allow all the other users access without authenticating since they
have the same source-ip address.
That means other users from the same LAN can go through without being
challenged for authentication. Unfortunately, there is no workaround
for this. If authentication is required in this topology, it is
recommended that authentication occur at the first NAT device, before
it reaches the NetScreen. You can find more information regarding the
same issue on the following URL:
http://services.netscreen.com/eserverweb/esupport_customer/consumer/esu
pport.asp?id=nskb980
Thank you.
Technical Assistance Center-eSupport Division
NetScreen Technologies, Inc.
408-543-2100 Main
877-638-7273 technical support
- Previous message: Marc Schoenefeld: "Privilege escalation applet, Java Media Framework"
- Next in thread: Brian Soby: "RE: Authentication Vulnerability in NetScreen ScreenOS"
- Maybe reply: Brian Soby: "RE: Authentication Vulnerability in NetScreen ScreenOS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
