Authentication Vulnerability in NetScreen ScreenOS
Versions affected: ScreenOS 4.0.2r2.0 - possibly all versions
Summary of problem: NetScreen firewalls have a feature that if
enabled, requires users to provide a username and password to access
resources and services behind a firewall, such as http (80/tcp).
However, after a user is authenticated, anyone else may also access
the protected services if they orginate from the same source IP
address (NAT'd network). The authentication mechanism is designed to
authenticate based on source-ip address only. This can expose
protected systems to unauthorized access if it is enabled.
After searching through the NetScreen documentation, I was unable to
find any warning about this. NetScreen does not inform the firewall
administrator of this design.
Thus, we contacted NetScreen. Below is the request to and the reply
from NetScreen Support.
I am posting this so that anyone that uses this sort of
on the Netscreen is aware of this problem.
REQUEST FOR ASSISTANCE FROM NETSCREEN:
I am running ScreenOS 4.0.2r2.0. I use the feature for user
authentication via local DB. I have discovered that if a valid user
connects to my network, and is properly authenticated by the
netscreen, and if that user is originating from a NATed network, then
my netscreen will proceed to allow anybody else coming from that same
NATed source network.
This exposes my systems to attack and possible compromise from others
on that NATed network who might happen to attempt connections to my
systems (covered in the associated policies).
Maybe this has been corrected in more recent versions of ScreenOS.
so, then I have difficulties, since my 90 day access to software
upgrades has lapsed.
Maybe there is some additional configuration setting that I must use
in order to address this.
Your help would be appreciated. Thanks.
RESPONSE FROM NETSCREEN:
Dear Valued Customer,
Thank you for contacting us at the NetScreen Technical Assistance
The current authentication mechanism is designed to authenticate
on source-ip address only. So if multiple users access NetScreen
the same source-ip, then once the NetScreen authenticates the first
user, an Authentication session is established and the NetScreen will
allow all the other users access without authenticating since they
have the same source-ip address.
That means other users from the same LAN can go through without being
challenged for authentication. Unfortunately, there is no workaround
for this. If authentication is required in this topology, it is
recommended that authentication occur at the first NAT device, before
it reaches the NetScreen. You can find more information regarding the
same issue on the following URL:
Technical Assistance Center-eSupport Division
NetScreen Technologies, Inc.Maintechnical support