[27692] in bugtraq
(Correction) Netscreen SSH1 CRC32 Compensation Denial of service
daemon@ATHENA.MIT.EDU (Erik Parker)
Fri Nov 1 17:09:09 2002
Date: Fri, 1 Nov 2002 12:58:45 -0600 (CST)
From: Erik Parker <erik.parker@digitaldefense.net>
To: bugtraq@securityfocus.com, <vulnwatch@vulnwatch.org>
In-Reply-To: <2175AA14AAC7D31186370080AD3ADF0D6F865A@EXCHANGE>
Message-ID: <Pine.LNX.4.44.0211011249410.1721-100000@xenos.digitaldefense.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
There is a major correction to this data. Netscreen contacted me a couple
of minutes after posting this. When they confirmed it was vulnerable to
CRC32, it appears they were actually confirming there was a 'problem', and
not the actual CRC32 bug.
This DoS is unrelated to the CRC32 bug, however the CRC32 exploit is
capable of causing the DoS.
As a temporary solution until Netscreen can release a new ScreenOS, you
could disable SSH if this is a viable option for you.
So, it would appear Netscreen did NOT miss the CRC32 bugs that came out,
and it's just a new one.
It would appear Netscreen's lack of response was due to improper handling
of the notifications and E-mails, combined with them moving offices over
the past couple of weeks. product-sec-alert@netscreen.com seems to get you
to the right place, at the right time.
