Hi! This is the ezmlm program. I'm managing the
bugtraq@securityfocus.com mailing list.
I'm working for my owner, who can be reached
at bugtraq-owner@securityfocus.com.
Messages to you from the bugtraq mailing list seem to
have been bouncing. I've attached a copy of the first bounce
message I received.
If this message bounces too, I will send you a probe. If the probe bounces,
I will remove your address from the bugtraq mailing list,
without further notice.
I've kept a list of which messages from the bugtraq mailing list have
bounced from your address.
Copies of these messages may be in the archive.
To retrieve a set of messages 123-145 (a maximum of 100 per request),
send an empty message to:
<bugtraq-get.123_145@securityfocus.com>
To receive a subject and author list for the last 100 or so messages,
send an empty message to:
<bugtraq-index@securityfocus.com>
Here are the message numbers:
7092
7131
--- Enclosed is a copy of the bounce message I received.
Return-Path: <>
Received: (qmail 16824 invoked from network); 1 Nov 2002 22:44:09 -0000
Received: from unknown (HELO securityfocus.com) (205.206.231.9)
by lists.securityfocus.com with SMTP; 1 Nov 2002 22:44:09 -0000
Received: (qmail 28255 invoked by alias); 1 Nov 2002 22:56:23 -0000
Received: (qmail 11202 invoked from network); 1 Nov 2002 22:53:25 -0000
Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27)
by mail.securityfocus.com with SMTP; 1 Nov 2002 22:53:25 -0000
Received: by outgoing.securityfocus.com (Postfix)
id C8B95A36DB; Fri, 1 Nov 2002 15:43:41 -0700 (MST)
Date: Fri, 1 Nov 2002 15:43:41 -0700 (MST)
From: MAILER-DAEMON@outgoing.securityfocus.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: bugtraq-return-7092-list-bugtraq=spinics.net@securityfocus.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="703B4A30B8.1036190585/outgoing.securityfocus.com"
Message-Id: <20021101224341.C8B95A36DB@outgoing.securityfocus.com>
This is a MIME-encapsulated message.
--703B4A30B8.1036190585/outgoing.securityfocus.com
Content-Description: Notification
Content-Type: text/plain
This is the Postfix program at host outgoing.securityfocus.com.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
For further assistance, please send mail to <postmaster>
If you do so, please include this problem report. You can
delete your own text from the message returned below.
The Postfix program
<list-bugtraq@spinics.net>: Name service error for spinics.net: Host found but
no data record of requested type
--703B4A30B8.1036190585/outgoing.securityfocus.com
Content-Description: Delivery error report
Content-Type: message/delivery-status
Reporting-MTA: dns; outgoing.securityfocus.com
Arrival-Date: Fri, 1 Nov 2002 11:45:11 -0700 (MST)
Final-Recipient: rfc822; list-bugtraq@spinics.net
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; Name service error for spinics.net: Host found but
no data record of requested type
--703B4A30B8.1036190585/outgoing.securityfocus.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id 703B4A30B8; Fri, 1 Nov 2002 11:45:11 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7006 invoked from network); 1 Nov 2002 18:22:24 -0000
From: "John" <audit01@ameritech.net>
To: "Erik Parker" <erik.parker@digitaldefense.net>
Subject: RE: Netscreen SSH1 CRC32 Compensation Denial of service
Date: Fri, 1 Nov 2002 13:48:05 -0500
Message-ID: <KFEHJCKKDJHJNPGFNNFJEEMCCHAA.audit01@ameritech.net>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
In-Reply-To: <Pine.LNX.4.44.0211011200460.1721-100000@xenos.digitaldefense.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
I was able to duplicate this on 4 different Netscreen-100's with Software
Version 3.0.1r2.0
John
-----Original Message-----
From: Erik Parker [mailto:erik.parker@digitaldefense.net]
Sent: Friday, November 01, 2002 1:31 PM
To: bugtraq@securityfocus.com; vulnwatch@vulnwatch.org
Subject: Netscreen SSH1 CRC32 Compensation Denial of service
Discovered by: HD Moore
Products Tested: Netscreen-25 (All models expected to be vulnerable)
Vendor contacted: October 23rd
Vendor confirmed: October 23rd
CVE: CVE-2001-0144 covered this bug.
Original Bug discovered by: Michal Zalewski of the BindView RAZOR Team.
In February of 2001, BindView's RAZOR Team announced the SSH1 CRC32
compensation attack detector bug. After all was said and done, several
vendors found their SSH implementations were vulnerable. Netscreen seems
to have overlooked this for a year and 8 months.
By default the Netscreen does not ship with SSH enabled, and Netscreen
usually doesn't encourage their customers to even access the CLI on their
devices. However, in the GUI you can enabled SSH, and disable telnet. This
only opens SSH on the trusted interfaces, unless you specifically add
rules to forward to this interface/port. On a normal system with SSH
enabled, the unit will only be vulnerable to attackers on the trusted side.
If you use any of the CRC32 exploits out there, the unit will crash
immediately, and require a hard reboot. It does not appear from our
analysis that anything more than a crash can occur from this.
The vendor assured a response with an ETA to a fix by October 25th. After
trying to get more information from them a few times after October 25th
passed, it has fallen on deaf ears.
--
Erik Parker
Digital Defense, Inc.
--703B4A30B8.1036190585/outgoing.securityfocus.com--
