(Correction) Netscreen SSH1 CRC32 Compensation Denial of service Nov 01 2002 06:58PM
Erik Parker (erik parker digitaldefense net)

There is a major correction to this data. Netscreen contacted me a couple
of minutes after posting this. When they confirmed it was vulnerable to
CRC32, it appears they were actually confirming there was a 'problem', and
not the actual CRC32 bug.

This DoS is unrelated to the CRC32 bug, however the CRC32 exploit is
capable of causing the DoS.

As a temporary solution until Netscreen can release a new ScreenOS, you
could disable SSH if this is a viable option for you.

So, it would appear Netscreen did NOT miss the CRC32 bugs that came out,
and it's just a new one.

It would appear Netscreen's lack of response was due to improper handling
of the notifications and E-mails, combined with them moving offices over
the past couple of weeks. product-sec-alert (at) netscreen (dot) com [email concealed] seems to get you
to the right place, at the right time.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus