RE: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS

[Alexander Poizner <APoizner () hipinteractive com>]

        It is a well known problem for many of the firewall appliances
including Sonicwall, Netscreen, PIX etc. The problem is that the traffic on
trusted network interface is partially assumed secure. 
        If firewall uses port translation for the outgoing connection they
are of course limited by <2^16 ports per IP once all of them are used, you
are in trouble. Of course if the firewall is well designed, it will tell you
in a log that maximum # of connections is reached and it will not allow
connection to management interface until there will be available connection.

        Some firewalls of course will just shut down management interface
like did the Sonicwall up until about a year ago. This IS a bug and should
be fixed, however other than that there is not much you can do. Some
firewalls can have multiple IP addresses just for increasing maximum # of
connections. If maximum number of connections specified is exceeded - that
is a problem of system administrator.
        Higher end firewalls have some QoS algorithms implemented to protect
you from that condition though. Also in some implementation you might get
away with using NAT for the host that will produce large amount of
connections - but then you got physical limitations of different memory
levels.

Regards,

Alexander Poizner
Systems Security Engineer
HIP Interactive Corp.
(416) 249-7555 x206


-----Original Message-----
From: Chris Lathem [mailto:clathem () skyhawke com] 
Sent: Friday, February 01, 2002 10:07
To: bugtraq () securityfocus com
Subject: NetScreen ScreenOS 2.6 Subject to Trust Interface DoS



Problem: NetScreen ScreenOS 2.6.1 subject to Trust 
Interface DoS Attack

Company Info: NetScreen Technologies are the 
manufacturers of some of the industry's highest 
quality VPN and firewall equipment. For more 
information please see http://www.netscreen.com.

What's affected: The ScreenOS is the heart of the 
NetScreen products. This allows for the firewall 
configuration/management. Apparently all versions 
before ScreenOS 3.1 are affected. This vulnerability 
can only occur from within the "trusted" network, or 
from a machine connected to the "trust" interface. 
External attempts will not cause any problems/DoS.

Exploit: Someone within the trusted side of the 
network can attempt a portscan on an external IP 
address. When the scan runs it appears to consume 
all of the available sessions. This, in turn, causes a 
DoS to the entire trusted interface. The only way I got 
my device to recover quickly was to perform a reset. 
A recovery might be possible without a reset, but 
after about 5 minutes of waiting, mine never 
recovered. This exploit may or may not work on your 
device. My testing was performed on a NetScreen 5. 
The higher-end, more pricier models may take longer 
to "eat up" all the available sessions, thus taking 
longer for a DoS to occur. 

I have contacted NetScreen in regards to the issue. I 
received a response back that the problem is a 
known issue. It has been addressed in ScreenOS 
3.1. An update to ScreenOS 3.1 is available for 
anyone with a NetScreen 200 or 500. For all other 
models, the update to ScreenOS 3.1 will be available 
on April 1, 2002.

I'd love to hear if anyone else has noticed this, or if 
other models are affected by this issue.

Cheers,
Chris Lathem
chris () lathemonline com
http://www.lathemonline.com