Make sure you netscreens up to date and properly locked down, especially if yer obtaining older or reworked equipment:
From: [EMAIL PROTECTED] Subject: Netscreen 25 unauthorised reboot issue Date: Mon, 27 May 2002 18:33:31 +0100 To: [EMAIL PROTECTED] Please note that this advisory was prepared, before speaking to Netscreen's US operation. Nothing of this vulnerability has been discussed here ( or on vun-dev) hence this email. Additionally it is not shown on netscreen's security alerts page (http://www.netscreen.com/support/alert.html) as of 25.05.2002. After speaking to their 3rd line support in the US (eventually) I was informed that this had been fixed. Indeed problem *has* been fixed as of ScreenOS 3.0.1r2 ( however you have to look in the release notes to discover this - ref cs00232). I wonder how many people are still running affected firmware ? #Synopsis A remote user ( who is un authenticated ) can cause a netscreen 25 ( other versions untested) to reboot remotely. Software Version 3.0.1r1.1 which was current as of about 1 month ago and has no alerts shown against it on netscreen's security alert's page. #Method Log on to the netscreen with a user name of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx and the device reboots this looks similar to http://www.net-security.org/vuln.php?id=577 from a year ago remote syslog shows just that the device's interfaces came back up May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra system-notification-00513: The physical state of the interface trust has changed to Up (2002-05-24 13:36:47) May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra system-notification-00513: The physical state of the interface untrust has changed to Up (2002-05-24 13:36:47) May 24 14:36:59 192.168.1.100 phaedra: NetScreen device_id=phaedra system-notification-00513: The physical state of the interface DMZ has changed to Up (2002-05-24 13:36:48) ##### Start of console output ##### Start of console output phaedra-> ******************************************************* Exception Dump ******************************************************* System up time: 3 hours 20 minutes 48 seconds Exception(Instruction TLB Miss) GPR: R0: 78787878 R1: 03044e50 R2: 00470928 R3: 00000000 R4: 03044e08 R5: 000000ac R6: 0074bde8 R7: 78787878 R8: 004c9d70 R9: 03a81d50 R10: 004fcb58 R11: 004d0000 R12: 40000024 R13: 004d1344 R14: 000d0904 R15: 80020020 R16: 43c00da1 R17: 300b6030 R18: 60101022 R19: 00000000 R20: 00750000 R21: 00470000 R22: 00000001 R23: 00755078 R24: 78787878 R25: 78787878 R26: 78787878 R27: 78787878 R28: 78787878 R29: 78787878 R30: 78787878 R31: 78787878 Special Register: CR: 20000024 XER: 00000000 LR: 78787878 CTR: 00000000 MSR: 00021200 SRR0: 78787878 SRR1: 00029230 SRR2: 00300044 SRR3: 00000000 DBSR: 00000000 TCR: fc000000 TSR: 04000000 ESR: 00000000 DEAR: 00000000 PID: 00000000 ******************************************************* Exception Dump ******************************************************* System up time: 3 hours 20 minutes 48 seconds Exception(Machine Check) GPR: R0: 78787878 R1: 03044d68 R2: 00470928 R3: 00000000 R4: 00000000 R5: 00000000 R6: 78787878 R7: 002fffd4 R8: 004c9d70 R9: 00000000 R10: 000002ec R11: 00000020 R12: 40000024 R13: 004d1344 R14: 000d0904 R15: 80020020 R16: 43c00da1 R17: 300b6030 R18: 60101022 R19: 00000000 R20: 00750000 R21: 00470000 R22: 00000001 R23: 00755078 R24: 78787878 R25: 78787878 R26: 78787878 R27: 00000001 R28: 03044d94 R29: 0000001f R30: 78787878 R31: 00000000 Special Register: CR: 40000024 XER: 20000000 LR: 002fffd4 CTR: 00000000 MSR: 00000000 SRR0: 78787878 SRR1: 00029230 SRR2: 00300044 SRR3: 00021200 DBSR: 00000000 TCR: fc000000 TSR: 0c000000 ESR: 00000000 DEAR: 00000000 PID: 00000000 Trace Dump: 00300044 002fffd4 002ff8f4 002fee04 00000000 System Level: Image In Interrupt Level ******************************************************** Please use GDB to track the trace ******************************************************** � NetScreen PowerPC 405GP BootROM V1.01 (c)1997-2002 NetScreen Technologies Inc. All rights reserved Check Platform...... NS-25 <snip normal netscreen start up> ###### End #Preliminary Conclusions restrict the IP's that can connect to the web interface. and upgrade to the latest version of screen OS #Vendor status They had (as mentioned above) already fixed this issue , but had ( in my personal opinion) not publicized it very well, hence this post. Q -- ##################### Quentyn Taylor Sysadmin - Fotango ##################### "I just went visual on this goofy looking Finn riding on a gnu, wielding one pissed off penguin... gah" Bob The Sane On Tue, 28 May 2002, Clark, Steve wrote: > Even the lower models of Netscreens will do this. > > Steve Clark > Clark Systems Support, LLC > AVIEN Charter Member > "Who's watching your network?" > www.clarksupport.com > 301-610-9584 voice > 240-465-0323 Efax > > The data furnished in connection with this document is deemed by Clark > Systems Support, LLC., to contain proprietary and privileged information and > shall not be disclosed or used for the benefit of others without the prior > written permission of Clark Systems Support, LLC. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, May 28, 2002 6:31 PM > To: [EMAIL PROTECTED] > Subject: Product Recommendation > > My environment consists of NT4 Servers SP6a. Our web server hosts multiple > web sites. We are using Proxy Server 2 for our user's Internet access > gateway and for routing inbound Internet requests to the correct web site. > We are on a single subnet LAN and the router has only the basic firewall > configured; no other filter or filter sets. > > Our business requires us to connect to various customer's systems. These > systems can be AS400 machines, DEC VAX machines and Windows based machines. > More and more we are seeing customers request that we use their VPN > solutions for connectivity. Various emulation applications are used along > with the VPN connections as all our desktops are W2K. > > Proxy Server is preventing us from making some VPN connections because of > the NATing that it does. We think that a firewall is the solution. The > product needs to: > > Allow multiple site-to-site VPN connections > Allow VPN connections to be made from desktops inside our LAN > Allow IPSec and PPTP and other protocols/encryptions thru > Route incoming Internet requests to the correct private IP addresses of our > web sites > Replace Proxy Server as the Internet gateway > > Can you experts give me some recommendations on brands and models that will > accommodate this? > > As you can tell, I'm new to the details of firewalls. Thanks for any > suggestions/help in advance. > > > > Bill Lambert > Endoxy Healthcare > 847-941-9206 > [EMAIL PROTECTED] > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > For Account Management (unsubscribe, get/change password, etc) Please go to: > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] For Account Management (unsubscribe, get/change password, etc) Please go to: http://lists.gnac.net/mailman/listinfo/firewalls
