Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Are Juniper Networks' firewall products affected by FireStorm vulnerability?



Article ID: KB30838 KB Last Updated: 31 Mar 2016Version: 1.0

The BugSec Group and Cynet published an article​ on Dec 9 2015 about a firewall bypass vulnerability in some Next Generation Firewalls. This vulnerability may allow data exfiltration to destinations forbidden by firewall policies. This is also known as the FireStorm vulnerability.​

Such a firewall bypass is not possible on Juniper's SRX and ScreenOS firewalls. Neither ScreenOS nor SRX will send packets to destinations that are forbidden by policy.

Our IDP and App-Secure (available on SRX) processing happens on top of normal policy processing. Normal policy processing is not relaxed in any way to allow IDP or App-Secure features. If security policies are properly setup, connections to forbidden destinations as described in the FireStorm article are not possible through SRX and ScreenOS firewalls.

ScreenOS and SRX provide another feature called strict-syn-checking to restrict packets during TCP 3-way handshake to prevent any packets until the 3-way handshake has completed for the connection that was allowed by security policies.

Additionally, when strict TCP SYN check option is enabled on SRX series devices, TCP handshake packets with extra data are dropped.

See KB4444 for more information about TCP SYN check option in ScreenOS.

See KB21266 for more information about TCP SYN check option in Junos.

Juniper Networks firewall products are not vulnerable to this firewall bypass vulnerability.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search