COMMAND
NetScreen Firewall
SYSTEMS AFFECTED
ScreenOS release 1.73r1 on the NetScreen-1000
ScreenOS release 2.01r6 on the NetScreen-10/100
ScreenOS release 2.10r3 on the NetScreen-5
ScreenOS release 2.5r1 on the NetScreen-5/10/100
PROBLEM
Following is based on a NSFOCUS Security Advisory SA2001-01.
NSFOCUS security team has found a buffer overflow vulnerability in
NetScreen Firewall WebUI. Exploitation of this vulnerability,
malicious user can launch remote DoS attack to crash the firewall.
NetScreen Firewall is a popular commercial firewall. It has a Web
administration interface (default listening at port 80) that
allows firewall administrator to configure firewall with browser.
However, it is lack of length check-up of input URL. Provided
with a oversized URL request, a buffer overflow may take place
that will crash the NetScreen firewall. In that case, all
connections through firewall will be dropped, and the firewall
won't response to any connection request. Rebooting the firewall
is required to regain its functions.
Attackers can launch attack without logining firewall.
All current versions of ScreeOS, including 1.73r1, 2.0r6, 2.1r3
and 2.5r1 are affected by this vulnerability on occasion that
WebUI has been enabled.
Once the input URL is longer than 1220 bytes NetScreen firewall
will crash:
$echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc netscreen_firewall 80
Following information will appear on firewall console:
****************************** EXCEPTION ******************************
Bus error execption (data reference: load or store)
EPC = 0x8009AA1C, SR = 0x34501007, Cause = 0x0080001C
Firewall halts now.
SOLUTION
Disable WebUI management or appoint trusted administration host
before acquirement and installation of relevant patch. On
12/26/2000 NetScreen has issued following ScreenOS release
versions to fix the bug:
ScreenOS 1.73r2 on the NetScreen-1000
ScreenOS 2.10r4 on the NetScreen-5
ScreenOS 2.01r7 on the NetScreen-10/100
ScreenOS 2.5.0r2 on the NetScreen-5/10/100