COMMAND

    NetScreen Firewall

SYSTEMS AFFECTED

    ScreenOS release 1.73r1 on the NetScreen-1000
    ScreenOS release 2.01r6 on the NetScreen-10/100
    ScreenOS release 2.10r3 on the NetScreen-5
    ScreenOS release 2.5r1  on the NetScreen-5/10/100

PROBLEM

    Following  is  based  on  a  NSFOCUS  Security Advisory SA2001-01.
    NSFOCUS security team has found a buffer overflow vulnerability in
    NetScreen  Firewall  WebUI.  Exploitation  of  this vulnerability,
    malicious user can launch remote DoS attack to crash the firewall.

    NetScreen Firewall is a popular commercial firewall.  It has a Web
    administration  interface  (default  listening  at  port  80) that
    allows firewall administrator to configure firewall with  browser.
    However, it  is lack  of length  check-up of  input URL.  Provided
    with a  oversized URL  request, a  buffer overflow  may take place
    that  will  crash  the  NetScreen  firewall.   In  that  case, all
    connections through  firewall will  be dropped,  and the  firewall
    won't response to any connection request.  Rebooting the  firewall
    is required to regain its functions.

    Attackers can launch attack without logining firewall.

    All current  versions of  ScreeOS, including  1.73r1, 2.0r6, 2.1r3
    and  2.5r1  are  affected  by  this vulnerability on occasion that
    WebUI has been enabled.

    Once the input  URL is longer  than 1220 bytes  NetScreen firewall
    will crash:

        $echo -e "GET /`perl -e 'print "A"x1220'` HTTP/1.0\n\n"|nc netscreen_firewall 80

    Following information will appear on firewall console:

        ****************************** EXCEPTION ******************************
        Bus error execption (data reference: load or store)

        EPC   = 0x8009AA1C,   SR    = 0x34501007,   Cause = 0x0080001C

    Firewall halts now.

SOLUTION

    Disable WebUI  management or  appoint trusted  administration host
    before  acquirement  and  installation  of  relevant  patch.    On
    12/26/2000  NetScreen  has   issued  following  ScreenOS   release
    versions to fix the bug:

        ScreenOS 1.73r2  on the NetScreen-1000
        ScreenOS 2.10r4  on the NetScreen-5
        ScreenOS 2.01r7  on the NetScreen-10/100
        ScreenOS 2.5.0r2 on the NetScreen-5/10/100