COMMAND

   NetScreen

SYSTEMS AFFECTED

    ScreenOS release 1.64, 1.66, 2.01, and 2.5

PROBLEM

    Following is based on a Netscreen List notice.  An issue has  been
    discovered  (bug  ID  8166)  in  all  current versions of ScreenOS
    software  (ScreenOS  release  1.64,  1.66,  2.01,  and  2.5)   for
    NetScreen-10  and  NetScreen-100  systems.   The  condition allows
    traffic that should be blocked by the policy configuration,  under
    certain circumstances,  to reach  the DMZ  network.   Security for
    the trusted network  is not affected;  the vulnerability does  not
    allow "denied" traffic to reach  the trusted network.  It  appears
    that there  is no  way to  exploit this  vulnerability to  execute
    arbitrary commands on the device.

    The condition exists in all modes of operation on the NetScreen-10
    and NetScreen-100 when the DMZ is active for network traffic.  The
    vulnerability  manifests  itself   only  after  specific   traffic
    patterns have been present for some time.  The result is that some
    packets that are  denied by the  policy configuration in  fact are
    allowed to pass to the DMZ network.  It does not allow all  denied
    packets to  pass; only  a select  few packets  may incorrectly  be
    passed.

    To date no  malicious exploitation of  the vulnerability has  been
    reported.

    If you or your customers are using a NetScreen-10 or NetScreen-100
    security appliance running a  release of version 1.64,  1.66, 2.0,
    or 2.5 of the device's software then you are affected.  If you  or
    your customers have any previous version of the appliance software
    then you may also be susceptible, but it has not been tested.

    The  severity  of  the  impact  will  vary  based  upon the device
    configuration and environment.   Though these conditions are  rare
    in  most  networks,  all  affected  devices and configurations are
    advised to  assume the  vulnerability could  affect their  network
    and  take  action  immediately  to  erase  the vulnerability.  The
    vulnerability could  be exploited  to pass  undesirable traffic to
    the DMZ network, potentially impacting systems on that network.

SOLUTION

    A software  fix has  been created  for this  vulnerability and has
    been made  available to  all affected  customers.   The impact  is
    considered medium, and NetScreen strongly encourages all  affected
    users to update their version immediately.

    All previous  released versions  of ScreenOS  for NetScreen-10 and
    NetScreen-100 are susceptible to  the vulnerability.  The  problem
    has been resolved in the following versions of ScreenOS:

        Version        Resolved In
        1.6x           1.66r2 for NetScreen-10 and NetScreen-100
        2.0            2.01r8 for NetScreen-10 and NetScreen-100
        2.5            2.5.0r6 for NetScreen-10 and NetScreen-100