Authentication Vulnerability in NetScreen ScreenOS Versions affected: ScreenOS 4.0.2r2.0 - possibly all versions Summary of problem: NetScreen firewalls have a feature that if enabled, requires users to provide a username and password to access resources and services behind a firewall, such as http (80/tcp). However, after a user is authenticated, anyone else may also access the protected services if they orginate from the same source IP address (NAT'd network). The authentication mechanism is designed to authenticate based on source-ip address only. This can expose protected systems to unauthorized access if it is enabled. After searching through the NetScreen documentation, I was unable to find any warning about this. NetScreen does not inform the firewall administrator of this design. Thus, we contacted NetScreen. Below is the request to and the reply from NetScreen Support. I am posting this so that anyone that uses this sort of authentication on the Netscreen is aware of this problem. REQUEST FOR ASSISTANCE FROM NETSCREEN: -------------------------------------- Submitted 05/23/2003 I am running ScreenOS 4.0.2r2.0. I use the feature for user authentication via local DB. I have discovered that if a valid user connects to my network, and is properly authenticated by the netscreen, and if that user is originating from a NATed network, then my netscreen will proceed to allow anybody else coming from that same NATed source network. This exposes my systems to attack and possible compromise from others on that NATed network who might happen to attempt connections to my systems (covered in the associated policies). Maybe this has been corrected in more recent versions of ScreenOS. If so, then I have difficulties, since my 90 day access to software upgrades has lapsed. Maybe there is some additional configuration setting that I must use in order to address this. Your help would be appreciated. Thanks. RESPONSE FROM NETSCREEN: ------------------------ Recieved 05/23/2003 Dear Valued Customer, Thank you for contacting us at the NetScreen Technical Assistance Center. The current authentication mechanism is designed to authenticate based on source-ip address only. So if multiple users access NetScreen from the same source-ip, then once the NetScreen authenticates the first user, an Authentication session is established and the NetScreen will allow all the other users access without authenticating since they have the same source-ip address. That means other users from the same LAN can go through without being challenged for authentication. Unfortunately, there is no workaround for this. If authentication is required in this topology, it is recommended that authentication occur at the first NAT device, before it reaches the NetScreen. You can find more information regarding the same issue on the following URL: http://services.netscreen.com/eserverweb/esupport_customer/consumer/esu pport.asp?id=nskb980 Thank you. Technical Assistance Center-eSupport Division NetScreen Technologies, Inc. 408-543-2100 Main 877-638-7273 technical support