Netscreen Malicious URL feature can be bypassed by fragmenting the request

["zel" <zel () firewallmonkeys com>]

Netscreen Malicious URL feature can be bypassed by fragmenting the request
http://www.cirt.net/advisories/netscreen.shtml

Product Description:
NetScreen Technologies Inc. is a leading developer of integrated network
security solutions that offer the security, performance and total cost of
ownership required by enterprises and carriers. NetScreen's innovative
solutions provide key security technologies, such as virtual private
network, denial of service protection, firewall and intrusion prevention, in
a line of easy-to-manage security appliances and systems.  NetScreen has
created a new function to assist in the containment of malicious worms
called the "User-Definable Malicious URL" feature.  This will cause
requests to be blocked that match the defined pattern.

Event Description:
> From the command line a firewall administrator can define a Malicious URL
pattern to be blocked.  However, if a segmented request for a blocked
pattern is fragmented in the middle of the pattern, it will not be matched.
This can be accomplished using a tool such as fragroute available at
http://www.monkey.org/~dugsong/fragroute/

Risk Explanation:
The product does not function properly to help contain malicious worms

Applications Affected:
Tested on NS-100, SW v3.0.1r2.0, HW Version: 3110

Solution:
Upgrade to ScreenOS 4.0.1 release, which addresses the circumvention of the
Malicious URL feature using IP fragments.  Netscreen will make the release
available to their customers by 1:00PM on Monday (11/25/2002).

Timeline:
- The problem was reported to Netscreen via E-Mail on Tuesday, October 08,
2002 11:23 PM.
- Another email was sent to Netscreen vial E-Mail on Tuesday, November 12,
2002 12:35 AM
- Response #1 was received acknowledging the issue on Thursday, November 14,
2002 9:25 PM
- Response #2 was received will the solution on Saturday, November 23, 2002
5:44 PM

Vendor Status:
Response #1: "NetScreen has received your e-mail regarding the Malicious URL
feature and we are currently in the process of developing a formal response
to this issue.  We are also readying changes to our product addressing this
issue which will be included in the upcoming ScreenOS 4.0.1 release.  We
request that you delay publicly announcing this issue until we have
officially released that software. We intend to release ScreenOS 4.0.1
before Thanksgiving.  We will contact you before the release date to
coordinate our announcements. Thank you for your cooperation."

Response #2: "We have finished the ScreenOS 4.0.1 release, which addresses
the circumvention of the Malicious URL feature using IP fragments.  We are
making the release available to our customers by 1:00PM on Monday (11/25).
We will be releasing a formal statement to bugtraq and CERT approximately 15
minutes later (at 1:15PM.)  If you will release an announcement of your own,
please refrain from sending them prior to our 11/25 1:00PM release date.  We
are delaying our alerts by 15 minutes in order for your announcement to
appear first. Thank you again for cooperating with our release schedule."

Contacts:
zel () firewallmonkeys com
zel () cirt net