NetScreen Firewalls
Problem:
A Denial of Service (DoS)
issue has been found in Juniper Networks NetScreen Firewall products.
When encountered, this issue can cause the device to crash and reboot.
If an attacker were to repeatedly exploit the issue a sustained denial
of service could take place on the device. The issue is not encountered
unless a feature is enabled that requires the device to use its built-in
DNS lookup client.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
Solution:Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
A software update for
ScreenOS has been released to resolve this issue. The release containing
the fix includes ScreenOS 6.3r17 and subsequent releases
KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Workaround:KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
There is no workaround for this issue. An upgrade to a fixed version of the software for the fix.
how to know if built-in DNS lookup client is enabled ?
ReplyDeleteHere Are the command to enable DNS Client
Deleteset dns proxy
set dns proxy enable
set dns server-select domain * primary-server x.x.x.x secondary-server y.y.y.y tertiary-server z.z.z.z
set interface ethernet#/# proxy dns
Thanks,,,
DeleteSo... essentially
If...
(M)-> get dns proxy
dns proxy not started
AND / OR
(M)-> get dns ddns
ddns client not started
If the above is true we do not need to patch our firewalls? Please clarify.
Warm regards
If you did not start your DNS client then you not need to patch your Netscreen now. However advisable to upgrade to latest screen OS once is available.
DeleteThank you Sire!
Delete