Knowledge Search


Response to "TCP Split Handshake Attack" vulnerability in Juniper SRX firewalls

  [JSA10476] Show Article Properties

Legacy Advisory Id:
Product Affected:
SRX Series Firewalls running Junos
SSG Series, ISG Series, and NetScreen Firewalls running ScreenOS

On April 12, 2011, Network World published an article highlighting a study by NSS Labs entitled "Network Firewall 2011 Comparative Test Results." The study describes a previously released TCP Split Handshake Attack that reportedly allows access through firewall products from multiple vendors, including the Juniper Networks SRX Series firewall.

Juniper Networks is aware of the Network World article and has confirmed that a viable, easily configurable mitigation exists within our firewall products. KB20877 was released on April 14, 2011, to address concerns raised by the article and NSS Labs report. What follows is a summary of the information provided in the KB article.

In Junos on the SRX Series, the 'strict-syn-check' option, enabled under the [security flow tcp-session] hierarchy, enforces a strict three-way handshake check for TCP sessions, enhancing security by dropping data packets received before the three-way handshake has completed. Enabling the 'strict-syn-check' option completely blocks the TCP Split Handshake attack.

ScreenOS provides protection against the TCP Split Handshake Attack by enabling strict SYN checking using the CLI command 'set flow tcp-syn-check strict'.

No other Juniper Networks products, including the Secure Access (SA) and Infranet Controller (IC) appliances, are vulnerable to this firewall evasion technique.
Related Links:
CVSS Score:
Severity Level:
Severity Assessment:
CVSS Overall Score: 3.7 (AV:N/AC:M/Au:N/C:P/I:N/A:N/E:P/RL:W/RC:C)