logo Home

Untitled Document

Home > Archives Advisories > Articles

Untitled Document

Untitled Document

NetScreen weaker VPN encryption
Date: 2003-04-17

Author : NetScreen <support@netscreen.com>

Title: NetScreen Security Advisory 57226

Date: 16 April 2003

Impact: Weaker IPSec Tunnel Security Than Intended

Affected Products: Global PRO Policy Manager versions 4.0.0r1 through 4.0.0r5; 4.1.0r1

Max Risk: Medium


An error in the Global PRO Policy Manager definitions for IPSec phase 1 and phase 2 proposals using the AES cryptographic algorithms causes VPN configurations in NetScreen firewall/VPN appliances and systems to use the DES cryptographic algorithm instead of the expected AES128.

All VPNs defined on NetScreen devices managed by Global PRO using the predefined proposals named "g2-aes128-sha", "g2-aes128-md5", "esp-aes128-sha", and "esp-aes128-md5" are affected.

Recommended Actions:

(1) Create custom proposals for IPSec phase 1 and phase 2 using AES128 as the cryptographic algorithm.
(2) Update all affected VPN configurations to use these custom proposals.
(3) As soon as practical, upgrade your Global PRO to the maintenance release identified below or a later version.

Global PRO 4.1.1, targeted for release on 5/15, will address this issue. New VPNs created after installing or upgrading to this release will not be prone to this issue. Upon upgrading to this release and pushing configuration to the devices, previously existing VPNs will also be fixed.

If you have a release of Global PRO not addressed by the maintenance release above, please contact support@netscreen.com.

How to Get Global PRO:

If you have registered your product with NetScreen and have a valid service contract, you can simply download the software from:

You will be prompted for your User ID and Password. Enter the whole or part of your company name as your User ID and enter your registered NetScreen device serial number as the password.

If you have not yet registered your product with NetScreen, you will need to contact NetScreen Technical Support for special instructions on how to obtain the fixed software. NetScreen Technical Support can be reached from 8 a.m. to 5 p.m. Pacific time Monday through Friday excluding weekends and observed holidays.

You may contact them via email at: support@netscreen.com
or via phone at: 877-638-7273 or 408-543-2100 Option #1

Please reference this Advisory title as evidence of your entitlement to the fixed software version.

NetScreen authorized channel partners have access to NetScreen software versions and may also be a way to obtain the new release.


arrowSearch Advisories


Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.


About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy