Software Engineering Institute

Updated:  January 23, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: NetScreen Security Advisory 58290
Date: 19 January 2004
Impact: Communications between devices running ScreenOS 5.0 and
NetScreen-Security Manager not encrypted
Affected Products: NetScreen-Security Manager 2004 used with devices
running ScreenOS 5.0
Max Risk: High

Summary:

The default installation of NetScreen-Security Manager does not
automatically enable encryption of communications between NetScreen
appliances and systems running ScreenOS 5.0 and the Device Server
component of the management system.

All communications between NetScreen-Security Manager and devices
running ScreenOS 5.0 are clear text, allowing interception of
configuration data by third parties, unless the fix below is
implemented.

Recommended Actions:

Either of the following options will enable 128-bit AES encryption
between NetScreen-Security Manager and devices running ScreenOS 5.0:

(1)  Add the following line in the devSvr.cfg file located in the
/usr/netscreen/DevSvr/var/ folder, then restart DevSvr services:

devSvrManager.cryptoKeyLength 128


- -OR-

(2)   As root, run the script 'addCryptoParam.sh', which is available
on the NetScreen-Security Manager downloads page at www.netscreen.com/cso,
then restart DevSvr services.

NetScreen-Security Manager 2004 Feature Pack 1, available at a later
date, will also address this issue.

How to Get NetScreen-Security Manager:

If you have registered your product with NetScreen and have a valid
service contract, you can simply download the software from:
http://www.netscreen.com/cso

You will be prompted for your User ID and Password. Enter the whole or
part of your company name as your User ID and enter your registered
NetScreen-Security Manager serial number as the password.

If you have not yet registered your product with NetScreen, you will
need to contact NetScreen Technical Support for special instructions on
how to obtain the fixed software. NetScreen Technical Support can be
reached from 8 a.m. to 5 p.m. Pacific time Monday through Friday
excluding weekends and observed holidays. You may contact them via
email at:
support@netscreen.com
or via phone at:
877-638-7273 or 408-543-2100 Option #1

Please reference this Advisory title as evidence of your entitlement to
the fixed software version.

NetScreen authorized Value Added Resellers have access to NetScreen
software versions and may also be a channel through which to obtain the
new release.

If you wish to verify the validity of this Security Advisory, the
public PGP key can be accessed at
http://www.netscreen.com/services/security/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: NetScreen Security Response Team <security-alert@netscreen.com>

iD8DBQFADDo8UUsgh8bp1hsRAmqzAJ9BU62nfz+nnQz1i7NXLacp4iK/yQCgrUEs
4EOhBTdyafPLTS84u39P+xI=
=JKL9
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.