Knowledge Search


2013-12 Security Bulletin: NetScreen Firewall: Crafted packet can cause denial of service (CVE-2013-6958)

  [JSA10604] Show Article Properties

Product Affected:
This issue can affect SSG Series, ISG Series, and NS Series devices running ScreenOS 6.3, 6.2, and 5.4 (on NS 5GT only).
A denial of service (DoS) issue has been found in ScreenOS. If the "Ping of Death" screen is enabled, the issue will not take place. However, if it is not enabled it is possible to experience a denial of service with certain malformed packets. By default the Ping of Death screen is enabled on the untrust zone, but not the trust zone.

This issue was discovered by an external security researcher.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-6958
On ScreenOS 6.3, 6.2, and 5.4 you can enable the Ping of Death screen to be protected from this issue.

We will also be releasing a fix for this issue in 6.3.0.r16, which is expected to be posted to the support site by the end of 2013. This fix will allow the firewall to be protected against this issue even if the Ping of Death screen is not enabled.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
See the solution section.
Related Links:
CVSS Score:
7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Severity Level:
Juniper Networks would like to thank Shuichiro Suzuki of FFRI, Inc. for reporting this issue. We would also like to thank JPCERT/CC for their help in coordinating this issue.