NetScreen Technologies Inc. Affected

Updated:  January 23, 2004

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: NetScreen Security Advisory 58290 Date: 19 January 2004 Impact: Communications between devices running ScreenOS 5.0 and NetScreen-Security Manager not encrypted Affected Products: NetScreen-Security Manager 2004 used with devices running ScreenOS 5.0 Max Risk: High Summary: The default installation of NetScreen-Security Manager does not automatically enable encryption of communications between NetScreen appliances and systems running ScreenOS 5.0 and the Device Server component of the management system. All communications between NetScreen-Security Manager and devices running ScreenOS 5.0 are clear text, allowing interception of configuration data by third parties, unless the fix below is implemented. Recommended Actions: Either of the following options will enable 128-bit AES encryption between NetScreen-Security Manager and devices running ScreenOS 5.0: (1) Add the following line in the devSvr.cfg file located in the /usr/netscreen/DevSvr/var/ folder, then restart DevSvr services: devSvrManager.cryptoKeyLength 128 - -OR- (2) As root, run the script 'addCryptoParam.sh', which is available on the NetScreen-Security Manager downloads page at www.netscreen.com/cso, then restart DevSvr services. NetScreen-Security Manager 2004 Feature Pack 1, available at a later date, will also address this issue. How to Get NetScreen-Security Manager: If you have registered your product with NetScreen and have a valid service contract, you can simply download the software from: http://www.netscreen.com/cso You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen-Security Manager serial number as the password. If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software. NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. Pacific time Monday through Friday excluding weekends and observed holidays. You may contact them via email at: support@netscreen.com or via phone at: 877-638-7273 or 408-543-2100 Option #1 Please reference this Advisory title as evidence of your entitlement to the fixed software version. NetScreen authorized Value Added Resellers have access to NetScreen software versions and may also be a channel through which to obtain the new release. If you wish to verify the validity of this Security Advisory, the public PGP key can be accessed at http://www.netscreen.com/services/security/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: NetScreen Security Response Team iD8DBQFADDo8UUsgh8bp1hsRAmqzAJ9BU62nfz+nnQz1i7NXLacp4iK/yQCgrUEs 4EOhBTdyafPLTS84u39P+xI= =JKL9 -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.