Title: NetScreen Security Alert 51897 Date: 25 November 2002 Description: Predictable TCP Initial Sequence Numbers Impact: Circumvention of Defined Security Policies Affected Products: All firewall/VPN appliances and systems Affected Software Releases: ScreenOS 1.7, 2.6, 2.8, 3.0, 3.1, 4.0 Summary: A vulnerability has been reported and confirmed in the algorithms generating TCP initial sequence numbers that makes their selection predictable. This vulnerability is present in ScreenOS 4.0.0 and all prior released versions of ScreenOS. Predictable TCP ISNs and IP spoofing may be used to gain access to TCP applications or services that use IP address based authentication. A considerable amount of information regarding this topic can be found at http://www.cert.org/advisories/CA-2001-09.html The vulnerability is exploitable on TCP connections to and from the NetScreen device itself. The vulnerability is also exploitable on TCP connections that match policies requiring authentication, and on connections forwarded through the device between two other hosts during syn-flood protection, when the NetScreen device is performing SYN proxying for the protected hosts. This vulnerability is not exploitable on TCP traffic secured via IPSec, SSH, or other mechanisms that make interception and modification of traffic detectable. The algorithms used to select TCP ISNs in affected versions of ScreenOS 2.6 and earlier are most predictable, thus the risks associated with this vulnerability are higher for devices running these versions of ScreenOS. Different algorithms with significantly less predictability were introduced in ScreenOS 3.0. Algorithms based on RFC 1948 were introduced in ScreenOS 4.0.1, and are used in the maintenance releases indicated below. Recommended Actions: Any or all of (1) Install one of the maintenance releases indicated below. (2) Upgrade to ScreenOS 4.0.1. (3) Only permit protocols that make interception and modification detectable (IPSec, SSH, SSL, etc.) to traverse the firewall. (3) Turn off or readjust syn-flood protection related parameters to minimize exposure to the vulnerability. (4) Follow standard good security practices regarding configuration of the NetScreen device and communication to and from it that makes interception and modification detectable, if not altogether preventable. Examples include using IPSec tunnels or SSH to the device for administrative access to the CLI, MD5 authentication to protect BGP sessions, strong authentication for access control, and so on. Release Schedule: For a complete release schedule, please visit: http://www.netscreen.com/support/alerts/Predictable_TCP_Initial_Sequence_Numbers.html How to Get ScreenOS: If you have registered your product with NetScreen and have a valid service contract, you can simply download the software from: http://www.netscreen.com/support/updates.html You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password. If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software. NetScreen Technical Support is available 24 hours a day, 365 days a year. Contact information can be located at http://www.netscreen.com/support/technical_assistance.html Please reference this Advisory title as evidence of your entitlement to the fixed software version. NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release.
This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 05:48:13 PST