The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetScreen Firewall

vulnerability announce CVE-2013-0149

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS Cisco, IOS XE Cisco, Cisco Nexus, NX-OS, Cisco Router, ProCurve Switch, HPE Switch, Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, NetScreen Firewall, ScreenOS, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Creation date: 02/08/2013.
Revision date: 01/08/2014.
Identifiers: BID-61566, c03880910, CERTA-2013-AVI-458, CERTA-2013-AVI-487, CERTA-2013-AVI-508, cisco-sa-20130801-lsaospf, CQ95773, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-0149, HPSBHF02912, JSA10575, JSA10580, JSA10582, PR 878639, PR 895456, sk94490, SUSE-SU-2014:0879-1, VIGILANCE-VUL-13192, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations (Cisco, Juniper, etc.) therefore do not perform this check.

An attacker can thus spoof a LSU message if he knows:
 - the IP address of the target router
 - LSA DB sequence numbers
 - the router ID of the OSPF Designated Router

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.
Complete Vigil@nce bulletin.... (free trial)

vulnerability bulletin CVE-2014-3814

NetScreen Firewall: denial of service via IPv6

Synthesis of the vulnerability

An attacker can send malicious IPv6 packets to NetScreen Firewall, in order to trigger a denial of service.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 3/4.
Creation date: 12/06/2014.
Identifiers: CERTFR-2014-AVI-271, CVE-2014-3814, JSA10632, VIGILANCE-VUL-14893.

Description of the vulnerability

The NetScreen Firewall can be configured with a service listening on IPv6.

However, a sequence of malformed IPv6 packets sent to the firewall stops it. Technical details are unknown.

An attacker can therefore send malicious IPv6 packets to NetScreen Firewall, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce CVE-2014-3813

NetScreen Firewall: denial of service via DNS Client

Synthesis of the vulnerability

An attacker can return malicious DNS replies to NetScreen Firewall, in order to trigger a denial of service.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 2/4.
Creation date: 12/06/2014.
Identifiers: CERTFR-2014-AVI-271, CVE-2014-3813, JSA10631, VIGILANCE-VUL-14892.

Description of the vulnerability

The NetScreen Firewall product has a DNS client, in order to query remote DNS servers.

However, if the DNS server returns a malicious reply, the firewall restarts. Technical details are unknown.

An attacker can therefore return malicious DNS replies to NetScreen Firewall, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability alert CVE-2014-2842

ScreenOS: denial of service via SSL

Synthesis of the vulnerability

An attacker can send a malicious SSL packet to ScreenOS, in order to trigger a denial of service.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 2/4.
Creation date: 14/04/2014.
Identifiers: CERTFR-2014-AVI-232, CERTFR-2014-AVI-279, CVE-2014-2842, JSA10624, VIGILANCE-VUL-14586, VU#480428.

Description of the vulnerability

The ScreenOS product offers an administration web service using SSL.

However, an attacker can send a malformed SSL packet, in order to reboot the firewall. Technical details are unknown.

An attacker can therefore send a malicious SSL packet to ScreenOS, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability bulletin CVE-2013-7306 CVE-2013-7307 CVE-2013-7308

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS Cisco, IOS XE Cisco, Cisco Nexus, NX-OS, Cisco Router, ProCurve Switch, HPE Switch, Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, NetScreen Firewall, ScreenOS.
Severity: 3/4.
Creation date: 28/01/2014.
Identifiers: BID-65140, BID-65157, BID-65161, BID-65162, BID-65163, BID-65166, BID-65167, BID-65169, BID-65170, c03880910, CERTA-2013-AVI-487, cisco-sa-20130801-lsaospf, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-7306, CVE-2013-7307, CVE-2013-7308, CVE-2013-7309, CVE-2013-7310, CVE-2013-7311, CVE-2013-7312, CVE-2013-7313, CVE-2013-7314, HPSBHF02912, JSA10575, JSA10580, sk94490, VIGILANCE-VUL-14148, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations do not check for duplicates before editing their databases.

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.

This vulnerability is similar to VIGILANCE-VUL-13192.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce CVE-2013-6958

ScreenOS: denial of service via Ping

Synthesis of the vulnerability

An attacker can send malicious ICMP packets to ScreenOS, in order to trigger a denial of service.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 3/4.
Creation date: 12/12/2013.
Identifiers: BID-64260, CERTA-2013-AVI-674, CVE-2013-6958, FFRRA-20131213, JSA10604, JVN #28436508, VIGILANCE-VUL-13942.

Description of the vulnerability

The "Ping of Death" protection protects against large ICMP packets. This protection is enabled by default on the untrusted zone, but it is not enabled on the trusted zone.

However, when this protection is disabled on NS 5GT, some malformed ICMP packets generate a fatal error. Technical details are unknown.

An attacker can therefore send malicious ICMP packets to ScreenOS, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, MES, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, Red Hat JBoss EAP, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 3/4.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (free trial)

vulnerability 10590

TCP, Firewalls: TCP Split Handshake

Synthesis of the vulnerability

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.
Impacted products: ASA, IOS Cisco, Cisco Router, FortiGate, FortiOS, NetScreen Firewall, ScreenOS, TCP protocol.
Severity: 1/4.
Creation date: 21/04/2011.
Identifiers: CSCth67416, CSCtn29288, CSCtn29349, KB20877, PSN-2011-04-229, VIGILANCE-VUL-10590.

Description of the vulnerability

A TCP session initialization sequence starts with:
 - the client sends a packet with the SYN flag
 - the server answers a SYN-ACK
 - the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 - the client sends a packet with the SYN flag
 - the server answers an ACK
 - the server sends a SYN
 - the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 - the Linux/Windows/MacOS client sends a packet with the SYN flag
 - the server answers an ACK (can be ignored by the client)
 - the server sends a SYN
 - the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone)
When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2010-0740

OpenSSL: denial of service via ssl3_get_record

Synthesis of the vulnerability

An attacker can send a malicious SSL message, in order to stop applications linked to OpenSSL.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, NetScreen Firewall, ScreenOS, OpenBSD, OpenSolaris, OpenSSL, Slackware, ESX, ESXi, vCenter, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 29/03/2010.
Identifiers: BID-39013, c02079216, c02160663, CVE-2010-0740, FEDORA-2010-8742, HPSBUX02517, HPSBUX02531, MDVSA-2010:076, MDVSA-2010:076-1, SOL11533, SSA:2010-090-01, SSRT100058, SSRT100108, VIGILANCE-VUL-9541, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The OpenSSL library implements several versions of SSL: SSLv2, SSLv3, TLSv1.

The ssl3_get_record() function of the file ssl/s3_pkt.c decodes SSL messages. When an attacker:
 - sent a first message in SSLv3
 - then sends only the header of a message in another version
the ssl3_get_record() function tries to read the body, and then generates an error message using the bad version number. The sending function then tries to access to an uninitialized field, which dereferences a NULL pointer.

An attacker can therefore send a malicious SSL message, in order to stop applications linked to OpenSSL.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2009-3555

TLS, OpenSSL, GnuTLS: vulnerability of the renegotiation

Synthesis of the vulnerability

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack.
Impacted products: Apache httpd, ArubaOS, BES, ProxySG, SGOS, Cisco ASR, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco CSS, IOS Cisco, IOS XR Cisco, IronPort Email, IronPort Management, Cisco Router, Secure ACS, Cisco CallManager, Cisco CUCM, Cisco IP Phone, WebNS, XenApp, XenDesktop, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, WebSphere AS, IVE OS, Juniper J-Series, JUNOS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, IIS, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NSS, NetBSD, NetScreen Firewall, ScreenOS, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Oracle Directory Server, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Trusted Solaris, ProFTPD, SSL protocol, RHEL, Slackware, Sun AS, SUSE Linux Enterprise Desktop, SLES, TurboLinux, Unix (platform) ~ not comprehensive, ESX.
Severity: 2/4.
Creation date: 10/11/2009.
Identifiers: 1021653, 111046, 273029, 273350, 274990, 6898371, 6898539, 6898546, 6899486, 6899619, 6900117, 977377, AID-020810, BID-36935, c01945686, c01963123, c02079216, CERTA-2011-ALE-005, cisco-sa-20091109-tls, CTX123248, CTX123359, CVE-2009-3555, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2141-4, DSA-2626-1, DSA-3253-1, FEDORA-2009-12229, FEDORA-2009-12305, FEDORA-2009-12606, FEDORA-2009-12750, FEDORA-2009-12775, FEDORA-2009-12782, FEDORA-2009-12968, FEDORA-2009-13236, FEDORA-2009-13250, FEDORA-2010-1127, FEDORA-2010-3905, FEDORA-2010-3929, FEDORA-2010-3956, FEDORA-2010-5357, FEDORA-2010-8742, FEDORA-2010-9487, FEDORA-2010-9518, FreeBSD-SA-09:15.ssl, HPSBUX02482, HPSBUX02498, HPSBUX02517, KB25966, MDVSA-2009:295, MDVSA-2009:323, MDVSA-2009:337, MDVSA-2010:069, MDVSA-2010:076, MDVSA-2010:076-1, MDVSA-2010:089, MDVSA-2013:019, NetBSD-SA2010-002, openSUSE-SU-2010:1025-1, openSUSE-SU-2010:1025-2, openSUSE-SU-2011:0845-1, PM04482, PM04483, PM04534, PM04544, PM06400, PSN-2011-06-290, PSN-2012-11-767, RHSA-2009:1579-02, RHSA-2009:1580-02, RHSA-2010:0011-01, RHSA-2010:0119-01, RHSA-2010:0130-01, RHSA-2010:0155-01, RHSA-2010:0162-01, RHSA-2010:0163-01, RHSA-2010:0164-01, RHSA-2010:0165-01, RHSA-2010:0166-01, RHSA-2010:0167-01, SOL10737, SSA:2009-320-01, SSA:2010-067-01, SSRT090249, SSRT090264, SSRT100058, SUSE-SA:2009:057, SUSE-SA:2010:020, SUSE-SR:2010:008, SUSE-SR:2010:012, SUSE-SR:2011:008, SUSE-SU-2011:0847-1, TLSA-2009-30, TLSA-2009-32, VIGILANCE-VUL-9181, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3, VU#120541.

Description of the vulnerability

Transport Layer Security (TLS) is a cryptographic protocol for network transport.

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use.

The protocol allows for renegotiation at any time during the connection. However, the handling of those renegotiations has a vulnerability.

A remote attacker can therefore exploit this vulnerability in order to insert plain text data via a man-in-the-middle attack.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NetScreen Firewall: