The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetScreen Firewall

computer vulnerability bulletin CVE-2013-7306 CVE-2013-7307 CVE-2013-7308

OSPF: corrupting the routing database

Synthesis of the vulnerability

An attacker can spoof OSPF messages, in order to corrupt the routing database.
Impacted products: CheckPoint IP Appliance, IPSO, CheckPoint Security Gateway, Cisco ASR, ASA, Cisco Catalyst, IOS Cisco, IOS XE Cisco, Cisco Nexus, NX-OS, Cisco Router, ProCurve Switch, HP Switch, Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, NetScreen Firewall, ScreenOS.
Severity: 3/4.
Creation date: 28/01/2014.
Identifiers: BID-65140, BID-65157, BID-65161, BID-65162, BID-65163, BID-65166, BID-65167, BID-65169, BID-65170, c03880910, CERTA-2013-AVI-487, cisco-sa-20130801-lsaospf, CSCug34469, CSCug34485, CSCug39762, CSCug39795, CSCug63304, CVE-2013-7306, CVE-2013-7307, CVE-2013-7308, CVE-2013-7309, CVE-2013-7310, CVE-2013-7311, CVE-2013-7312, CVE-2013-7313, CVE-2013-7314, HPSBHF02912, JSA10575, JSA10580, sk94490, VIGILANCE-VUL-14148, VU#229804.

Description of the vulnerability

The RFC 2328 defines the OSPF protocol (Open Shortest Path First) which established IP routes, using LSA (Link State Advertisement) messages.

The LSA Type 1 Update (LSU, Link-State Update) message is used to update the routing database. However, the RFC does not request to check the "Link State ID" and "Advertising Router" fields of LSU messages. Several implementations do not check for duplicates before editing their databases.

An attacker can therefore spoof OSPF messages, in order to corrupt the routing database.

This vulnerability is similar to VIGILANCE-VUL-13192.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce CVE-2013-6958

ScreenOS: denial of service via Ping

Synthesis of the vulnerability

An attacker can send malicious ICMP packets to ScreenOS, in order to trigger a denial of service.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 3/4.
Creation date: 12/12/2013.
Identifiers: BID-64260, CERTA-2013-AVI-674, CVE-2013-6958, FFRRA-20131213, JSA10604, JVN #28436508, VIGILANCE-VUL-13942.

Description of the vulnerability

The "Ping of Death" protection protects against large ICMP packets. This protection is enabled by default on the untrusted zone, but it is not enabled on the trusted zone.

However, when this protection is disabled on NS 5GT, some malformed ICMP packets generate a fatal error. Technical details are unknown.

An attacker can therefore send malicious ICMP packets to ScreenOS, in order to trigger a denial of service.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, MES, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, Red Hat JBoss EAP, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 3/4.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Complete Vigil@nce bulletin.... (free trial)

vulnerability 10590

TCP, Firewalls: TCP Split Handshake

Synthesis of the vulnerability

An attacker owing a malicious server can use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client.
Impacted products: ASA, IOS Cisco, Cisco Router, FortiGate, FortiOS, NetScreen Firewall, ScreenOS, TCP protocol.
Severity: 1/4.
Creation date: 21/04/2011.
Identifiers: CSCth67416, CSCtn29288, CSCtn29349, KB20877, PSN-2011-04-229, VIGILANCE-VUL-10590.

Description of the vulnerability

A TCP session initialization sequence starts with:
 - the client sends a packet with the SYN flag
 - the server answers a SYN-ACK
 - the client answers an ACK

The RFC 793 describes it in four steps (page 27, "simultaneous-open handshake"):
 - the client sends a packet with the SYN flag
 - the server answers an ACK
 - the server sends a SYN
 - the client answers an ACK

Linux, Windows and MacOS incorrectly implement the "simultaneous-open handshake":
 - the Linux/Windows/MacOS client sends a packet with the SYN flag
 - the server answers an ACK (can be ignored by the client)
 - the server sends a SYN
 - the Linux/Windows/MacOS client answers a SYN-ACK (instead of an ACK alone)
When the server answers a ACK, a firewall on the path just saw : a SYN, then a SYN-ACK and then an ACK. Some firewalls interpret these three exchanges as a connection from the server to the client.

An attacker owing a malicious server can therefore use a special TCP initialization sequence, in order to force the firewall to open a TCP session to the client. It can be noted that the firewall has an invalid internal state, but this session was initiated by the client.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2010-0740

OpenSSL: denial of service via ssl3_get_record

Synthesis of the vulnerability

An attacker can send a malicious SSL message, in order to stop applications linked to OpenSSL.
Impacted products: BIG-IP Hardware, TMOS, Fedora, HP-UX, AIX, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, NetScreen Firewall, ScreenOS, OpenBSD, OpenSolaris, OpenSSL, Slackware, ESX, ESXi, vCenter, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Creation date: 29/03/2010.
Identifiers: BID-39013, c02079216, c02160663, CVE-2010-0740, FEDORA-2010-8742, HPSBUX02517, HPSBUX02531, MDVSA-2010:076, MDVSA-2010:076-1, SOL11533, SSA:2010-090-01, SSRT100058, SSRT100108, VIGILANCE-VUL-9541, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2.

Description of the vulnerability

The OpenSSL library implements several versions of SSL: SSLv2, SSLv3, TLSv1.

The ssl3_get_record() function of the file ssl/s3_pkt.c decodes SSL messages. When an attacker:
 - sent a first message in SSLv3
 - then sends only the header of a message in another version
the ssl3_get_record() function tries to read the body, and then generates an error message using the bad version number. The sending function then tries to access to an uninitialized field, which dereferences a NULL pointer.

An attacker can therefore send a malicious SSL message, in order to stop applications linked to OpenSSL.
Complete Vigil@nce bulletin.... (free trial)

vulnerability alert CVE-2009-3555

TLS, OpenSSL, GnuTLS: vulnerability of the renegotiation

Synthesis of the vulnerability

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack.
Impacted products: Apache httpd, ArubaOS, BES, ProxySG, Cisco ASR, ASA, AsyncOS, Cisco Catalyst, CiscoWorks, Cisco CSS, IOS Cisco, IOS XR Cisco, IronPort Email, IronPort Management, Cisco Router, Secure ACS, Cisco CallManager, Cisco CUCM, Cisco IP Phone, WebNS, XenApp, XenDesktop, XenServer, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, WebSphere AS, IVE OS, Juniper J-Series, JUNOS, NSM Central Manager, NSMXpress, Juniper SA, Mandriva Corporate, MES, Mandriva Linux, Mandriva NF, IIS, Windows 2000, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, NSS, NetBSD, NetScreen Firewall, ScreenOS, NLD, OES, OpenBSD, OpenSolaris, OpenSSL, openSUSE, Oracle Directory Server, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Trusted Solaris, ProFTPD, SSL protocol, RHEL, Slackware, Sun AS, SUSE Linux Enterprise Desktop, SLES, TurboLinux, Unix (platform), ESX.
Severity: 2/4.
Creation date: 10/11/2009.
Identifiers: 1021653, 111046, 273029, 273350, 274990, 6898371, 6898539, 6898546, 6899486, 6899619, 6900117, 977377, AID-020810, BID-36935, c01945686, c01963123, c02079216, CERTA-2011-ALE-005, cisco-sa-20091109-tls, CTX123248, CTX123359, CVE-2009-3555, DSA-1934-1, DSA-2141-1, DSA-2141-2, DSA-2141-4, DSA-2626-1, DSA-3253-1, FEDORA-2009-12229, FEDORA-2009-12305, FEDORA-2009-12606, FEDORA-2009-12750, FEDORA-2009-12775, FEDORA-2009-12782, FEDORA-2009-12968, FEDORA-2009-13236, FEDORA-2009-13250, FEDORA-2010-1127, FEDORA-2010-3905, FEDORA-2010-3929, FEDORA-2010-3956, FEDORA-2010-5357, FEDORA-2010-8742, FEDORA-2010-9487, FEDORA-2010-9518, FreeBSD-SA-09:15.ssl, HPSBUX02482, HPSBUX02498, HPSBUX02517, KB25966, MDVSA-2009:295, MDVSA-2009:323, MDVSA-2009:337, MDVSA-2010:069, MDVSA-2010:076, MDVSA-2010:076-1, MDVSA-2010:089, MDVSA-2013:019, NetBSD-SA2010-002, openSUSE-SU-2010:1025-1, openSUSE-SU-2010:1025-2, openSUSE-SU-2011:0845-1, PM04482, PM04483, PM04534, PM04544, PM06400, PSN-2011-06-290, PSN-2012-11-767, RHSA-2009:1579-02, RHSA-2009:1580-02, RHSA-2010:0011-01, RHSA-2010:0119-01, RHSA-2010:0130-01, RHSA-2010:0155-01, RHSA-2010:0162-01, RHSA-2010:0163-01, RHSA-2010:0164-01, RHSA-2010:0165-01, RHSA-2010:0166-01, RHSA-2010:0167-01, SOL10737, SSA:2009-320-01, SSA:2010-067-01, SSRT090249, SSRT090264, SSRT100058, SUSE-SA:2009:057, SUSE-SA:2010:020, SUSE-SR:2010:008, SUSE-SR:2010:012, SUSE-SR:2011:008, SUSE-SU-2011:0847-1, TLSA-2009-30, TLSA-2009-32, VIGILANCE-VUL-9181, VMSA-2010-0015, VMSA-2010-0015.1, VMSA-2010-0019, VMSA-2010-0019.1, VMSA-2010-0019.2, VMSA-2010-0019.3, VU#120541.

Description of the vulnerability

Transport Layer Security (TLS) is a cryptographic protocol for network transport.

When opening a connection using TLS, a negotiation mechanism allows the client and server to agree on the encryption algorithm to use.

The protocol allows for renegotiation at any time during the connection. However, the handling of those renegotiations has a vulnerability.

A remote attacker can therefore exploit this vulnerability in order to insert plain text data via a man-in-the-middle attack.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce 8672

ScreenOS: information disclosure via about.html

Synthesis of the vulnerability

An attacker can request the about.html page of WebUI in order to obtain information on the ScreenOS.
Impacted products: NetScreen Firewall, ScreenOS.
Severity: 1/4.
Creation date: 27/04/2009.
Identifiers: BID-34710, VIGILANCE-VUL-8672.

Description of the vulnerability

The access to the WebUI administration interface requires an authentication.

However, the "about.html" page can be accessed without authentication. Moreover, this page contains the version of the ScreenOS.

A non authenticated attacker, who is allowed to connect to the web server of WebUI, can therefore obtain information about the system.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability announce CVE-2008-1447

DNS: cache poisoning

Synthesis of the vulnerability

An attacker can predict DNS queries in order to poison the DNS client or cache (caching resolver).
Impacted products: ProxyRA, ProxySG, IOS Cisco, Cisco Router, Debian, Dnsmasq, BIG-IP Hardware, TMOS, Fedora, FreeBSD, MPE/iX, Tru64 UNIX, HP-UX, AIX, BIND, Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, Mandriva Corporate, Mandriva Linux, Mandriva NF, Windows 2000, Windows 2003, Windows 2008 R0, Windows (platform), Windows XP, NetBSD, NetScreen Firewall, ScreenOS, NLD, Netware, OES, OpenBSD, OpenSolaris, openSUSE, Solaris, Trusted Solaris, DNS protocol, RHEL, Slackware, SLES, TurboLinux, Unix (platform), ESX.
Severity: 3/4.
Creation date: 09/07/2008.
Revisions dates: 22/07/2008, 24/07/2008, 25/07/2008.
Identifiers: 107064, 239392, 240048, 6702096, 7000912, 953230, BID-30131, c01506861, c01660723, CAU-EX-2008-0002, CAU-EX-2008-0003, CERTA-2002-AVI-189, CERTA-2002-AVI-200, cisco-sa-20080708-dns, CR102424, CR99135, CSCso81854, CVE-2008-1447, draft-ietf-dnsext-forgery-resilience-05, DSA-1544-2, DSA-1603-1, DSA-1604-1, DSA-1605-1, DSA-1617-1, DSA-1619-1, DSA-1619-2, DSA-1623-1, FEDORA-2008-6256, FEDORA-2008-6281, FEDORA-2009-1069, FreeBSD-SA-08:06.bind, HPSBMP02404, HPSBTU02358, HPSBUX02351, MDVSA-2008:139, MS08-037, NetBSD-SA2008-009, powerdns-advisory-2008-01, PSN-2008-06-040, RHSA-2008:0533-01, RHSA-2008:0789-01, SOL8938, SSA:2008-191-02, SSA:2008-205-01, SSRT080058, SSRT090014, SUSE-SA:2008:033, TA08-190B, TLSA-2008-26, VIGILANCE-VUL-7937, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VU#800113.

Description of the vulnerability

The DNS protocol defines a 16 bit identifier to associate an answer to its query. When attacker predicts this identifier and the UDP port number, he can send fake answers and thus poison the DNS cache.

Most implementation use a fixed port number, which increases the probability of a poisoning success. As there is only one chance of success during the TTL period, and as the poisoning does not work for each trial, this direct and old attack is not practical.

However, instead of poisoning the answer record, the attacker can poison additional records. Indeed, when the DNS client asks the address of www.example.com, the DNS server returns:
  www.example.com A 1.2.3.4 (answer)
  example.com NS dns.example.com (authoritative)
  dns.example.com A 1.2.3.5 (additional)

An attacker can therefore force the client to ask the resolution of several names (via a web page containing images for example): aaa.example.com, aab.example.com, ..., aaz.example.com. In his answers, the attacker then always provides the same additional malicious answer (www.example.com A 5.6.7.8). Even if, for example, only aab.example.com is poisoned, its additional record (www.example.com = 5.6.7.8) will be stored in the cache.

An attacker can therefore poison the DNS cache/client and redirect all users to a malicious site.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability CVE-2006-2937 CVE-2006-2940 CVE-2006-3738

OpenSSL: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities have been discovered in OpenSSL, the worst one leading to code execution.
Impacted products: Arkoon FAST360, CiscoWorks, Cisco CSS, Cisco IPS, Cisco Prime, Secure ACS, WebNS, Debian, Fedora, FreeBSD, F-Secure AV, Tru64 UNIX, HP-UX, BIND, Mandriva Corporate, Mandriva Linux, Mandriva NF, Windows (platform), NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, ProPack, Slackware, TurboLinux.
Severity: 3/4.
Creation date: 29/09/2006.
Revision date: 20/12/2007.
Identifiers: 102711, 102747, 20061001-01-P, 6476279, AK-2006-06, AK-2006-07, BID-20246, BID-20247, BID-20248, BID-20249, BID-26093, c00805100, c00849540, c00967144, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-454, CERTA-2006-AVI-521, CERTA-2007-AVI-051, CERTA-2008-AVI-141, cisco-sr-20061108-openssl, CSCek57074, CSCsg09619, CSCsg24311, CSCsg58599, CSCsg58607, CSCtx20378, CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343, DSA-1185-1, DSA-1195-1, emr_na-c01203958-1, FEDORA-2006-1004, FreeBSD-SA-06:23.openssl, FSC-2006-6, HPSBTU02207, HPSBUX02174, HPSBUX02186, MDKSA-2006:172, MDKSA-2006:177, MDKSA-2006:178, NetBSD-SA2008-007, RHSA-2006:0695-01, RHSA-2008:0264-01, RHSA-2008:0525-01, SSA:2006-272-01, SSRT061213, SSRT061239, SSRT071299, SSRT071304, SUSE-SA:2006:058, SUSE-SR:2006:024, TLSA-2006-33, TLSA-2007-52, VIGILANCE-VUL-6185, VU#247744, VU#386964, VU#423396, VU#547300.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

Certain ASN.1 structures can generate an error leading to an infinite loop which will consumes system memory. This condition thus permits to generate a denial of service on the system. [severity:3/4; BID-20248, CERTA-2006-AVI-421, CERTA-2006-AVI-448, CERTA-2006-AVI-521, CERTA-2008-AVI-141, CVE-2006-2937, VU#247744]

Certain types of public keys encoded with ASN.1 can take an extremely long duration to be decoded. An attacker can thus use this vulnerability to generate a denial of service. [severity:3/4; BID-20247, CERTA-2007-AVI-051, CVE-2006-2940, VU#423396]

A buffer overflow in the SSL_get_shared_ciphers() function permits an attacker to run code on the system by sending a succession of malicious packets to an application using openssl. [severity:3/4; BID-20249, CVE-2006-3738, VU#547300]

An attacker can create a malicious SSLv2 server in order to generate a denial of service on connected clients. [severity:2/4; BID-20246, CVE-2006-4343, VU#386964]
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability note 5359

TCP: denial of service with optimistic acknowledgement

Synthesis of the vulnerability

An attacker can prematurely send acknowledgement packets to force remote TCP stack to increase its sending rate.
Impacted products: Juniper E-Series, Juniper J-Series, JUNOS, JUNOSe, NetScreen Firewall, ScreenOS, TCP protocol.
Severity: 2/4.
Creation date: 14/11/2005.
Identifiers: BID-15468, PSN-2005-12-004, VIGILANCE-VUL-5359, VU#102014.

Description of the vulnerability

A TCP stack acknowledges received data by returning an acknowledgement number corresponding to the position of end of data. The remote TCP stack uses these numbers to compute bandwith and thus optimize its sending throughput.

An attacker can acknowledge data not yet received. The remote stack algorithm concludes that throughput rate can be increased.

An attacker can therefore force a remote computer to send numerous data, until eventually the saturation of its internet connection. There exists several attack variants.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NetScreen Firewall: