TUCoPS :: Network Appliances :: bt479.txt

Authentication Vulnerability in NetScreen ScreenOS

Authentication Vulnerability in NetScreen ScreenOS

Versions affected: ScreenOS 4.0.2r2.0 - possibly all versions

Summary of problem: NetScreen firewalls have a feature that if 
enabled, requires users to provide a username and password to access  
resources and services behind a firewall, such as http (80/tcp). 
However, after a user is authenticated, anyone else may also access 
the protected services if they orginate from the same source IP 
address (NAT'd network). The authentication mechanism is designed to 
authenticate based on source-ip address only. This can expose 
protected systems to unauthorized access if it is enabled.

After searching through the NetScreen documentation, I was unable to 
find any warning about this. NetScreen does not inform the firewall 
administrator of this design.

Thus, we contacted NetScreen. Below is the request to and the reply 
from NetScreen Support.

I am posting this so that anyone that uses this sort of authentication 
on the Netscreen is aware of this problem.

Submitted 05/23/2003

I am running ScreenOS 4.0.2r2.0.  I use the feature for user 
authentication via local DB.  I have discovered that if a valid user 
connects to my network, and is properly authenticated by the 
netscreen, and if that user is originating from a NATed network, then 
my netscreen will proceed to allow anybody else coming from that same 
NATed source network.  
This exposes my systems to attack and possible compromise from others 
on that NATed network who might happen to attempt connections to my 
systems (covered in the associated policies).

Maybe this has been corrected in more recent versions of ScreenOS.  If 
so, then I have difficulties, since my 90 day access to software  
upgrades has lapsed.

Maybe there is some additional configuration setting that I must use 
in order to address this.

Your help would be appreciated.  Thanks.

Recieved 05/23/2003

Dear Valued Customer,

Thank you for contacting us at the NetScreen Technical Assistance 

The current authentication mechanism is designed to authenticate based 
on source-ip address only.  So if multiple users access NetScreen from 
the same source-ip, then once the NetScreen authenticates the first 
user, an Authentication session is established and the NetScreen will 
allow all the other users access without authenticating since they 
have the same source-ip address.

That means other users from the same LAN can go through without being 
challenged for authentication. Unfortunately, there is no workaround 
for this.  If authentication is required in this topology, it is 
recommended that authentication occur at the first NAT device, before 
it reaches the NetScreen. You can find more information regarding the 
same issue on the following URL:


Thank you.

Technical Assistance Center-eSupport Division
NetScreen Technologies, Inc.
408-543-2100 Main
877-638-7273 technical support

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH