ESB-2018.1127 - [Juniper] OpenSSL: Multiple vulnerabilities 2018-04-12

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        Security Bulletin: OpenSSL Security Advisory [07 Dec 2017]
                               12 April 2018


        AusCERT Security Bulletin Summary

Product:           OpenSSL
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Confidential Data       -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3738 CVE-2017-3737 CVE-2017-3736

Reference:         ASB-2017.0209

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-04 Security Bulletin: OpenSSL Security Advisory [07 Dec 2017]

CVSS Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Risk Level: Medium
Risk Assessment: Information for how Juniper Networks uses CVSS can be found at
KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security

Product Affected:

This issue affects many products and platforms, including Junos OS, NorthStar,


The OpenSSL project has published a security advisory for vulnerabilities
resolved in the OpenSSL library on December 7, 2017. The following is a summary
of these vulnerabilities and their status with respect to Juniper products:

     CVE        CVSS                            Summary
              5.3 (     While parsing an IPAddressFamily extension in an X.509
              CVSS:3.0/ certificate, it is possible to do a one-byte overread.
              AV:N/AC:L This would result in an incorrect text display of the
CVE-2017-3735 /PR:N/    certificate. This bug has been present since 2006 and
              UI:N/S:U/ is present in all versions of OpenSSL before 1.0.2m and
              C:N/I:L/  1.1.0g.
                        There is a carry propagating bug in the x86_64
                        Montgomery squaring procedure in OpenSSL before 1.0.2m
                        and 1.1.0 before 1.1.0g. No EC algorithms are affected.
                        Analysis suggests that attacks against RSA and DSA as a
                        result of this defect would be very difficult to
                        perform and are not believed likely. Attacks against DH
              6.5 (     are considered just feasible (although very difficult)
              CVSS:3.0/ because most of the work necessary to deduce
              AV:N/AC:L information about a private key may be performed
CVE-2017-3736 /PR:L/    offline. The amount of resources required for such an
              UI:N/S:U/ attack would be very significant and likely only
              C:H/I:N/  accessible to a limited number of attackers. An
              A:N)      attacker would additionally need online access to an
                        unpatched system using the target private key in a
                        scenario with persistent DH parameters and a private
                        key that is shared between multiple clients. This only
                        affects processors that support the BMI1, BMI2 and ADX
                        extensions like Intel Broadwell (5th generation) and
                        later or AMD Ryzen.
                        OpenSSL 1.0.2 (starting from version 1.0.2b) introduced
                        an "error state" mechanism. The intent was that if a
                        fatal error occurred during a handshake then OpenSSL
                        would move into the error state and would immediately
                        fail if you attempted to continue the handshake. This
                        works as designed for the explicit handshake functions
                        (SSL_do_handshake(), SSL_accept() and SSL_connect()),
              5.9 (     however due to a bug it does not work correctly if
              CVSS:3.0/ SSL_read() or SSL_write() is called directly. In that
              AV:N/AC:H scenario, if the handshake fails then a fatal error
CVE-2017-3737 /PR:N/    will be returned in the initial function call. If
              UI:N/S:U/ SSL_read()/SSL_write() is subsequently called by the
              C:H/I:N/  application for the same SSL object then it will
              A:N)      succeed and the data is passed without being decrypted/
                        encrypted directly from the SSL/TLS record layer. In
                        order to exploit this issue an application bug would
                        have to be present that resulted in a call to SSL_read
                        ()/SSL_write() being issued after having already
                        received a fatal error. OpenSSL version 1.0.2b-1.0.2m
                        are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is
                        not affected.
                        There is an overflow bug in the AVX2 Montgomery
                        multiplication procedure used in exponentiation with
                        1024-bit moduli. No EC algorithms are affected.
                        Analysis suggests that attacks against RSA and DSA as a
                        result of this defect would be very difficult to
                        perform and are not believed likely. Attacks against
                        DH1024 are considered just feasible, because most of
                        the work necessary to deduce information about a
                        private key may be performed offline. The amount of
              5.9 (     resources required for such an attack would be
              CVSS:3.0/ significant. However, for an attack on TLS to be
              AV:N/AC:H meaningful, the server would have to share the DH1024
CVE-2017-3738 /PR:N/    private key among multiple clients, which is no longer
              UI:N/S:U/ an option since CVE-2016-0701. This only affects
              C:H/I:N/  processors that support the AVX2 but not ADX extensions
              A:N)      like Intel Haswell (4th generation). Note: The impact
                        from this issue is similar to CVE-2017-3736,
                        CVE-2017-3732 and CVE-2015-3193. OpenSSL version
                        1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in
                        OpenSSL 1.0.2n. Due to the low severity of this issue
                        we are not issuing a new release of OpenSSL 1.1.0 at
                        this time. The fix will be included in OpenSSL 1.1.0h
                        when it becomes available. The fix is also available in
                        commit e502cc86d in the OpenSSL git repository.



The following software releases have been updated to resolve this specific
issue: 12.3X48-D70, 14.1R9, 14.1X53-D130, 14.1X53-D47, 15.1R6-S6, 15.1R7,
15.1X49-D130, 15.1X53-D233, 15.1X53-D471, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8,
16.1R5-S4, 16.1R6-S3, 16.2R1-S6, 16.2R2-S5, 17.1R2-S6, 17.2R2-S3, 17.3R3*,
17.4R2*, 18.1R1, and all subsequent releases.

*Late availability


The following software releases have been updated to resolve this specific
issue: NorthStar 3.0.2, 3.1.1, 3.2.1, and all subsequent releases.


The following software releases have been updated to resolve this specific
issue: 2012.2R14, and all subsequent releases.


The following software releases have been updated to resolve this specific
issue: 7.3R4, 7.4R2, and all subsequent releases.


The following software releases have been updated to resolve this specific
issue: 7.3R4, 7.4R1, and all subsequent releases.

This advisory will be updated as additional products are analyzed and fixes
become available.

These issues are being tracked as PR 1328891, 1328901, 1328898, 1328896,
1328895 and 1250405 which are visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).


Junos: Since SSL is used for remote network configuration and management
applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable
workarounds for this issue in Junos may include:

    Disabling J-Web
    Disable SSL service for JUNOScript and only use Netconf, which makes use of
    SSH, to make configuration changes
    Limit access to J-Web and XNM-SSL from only trusted networks

Others: Limit the exploitable attack surface of critical infrastructure
networking equipment. Use access lists or firewall filters to limit access to
the device via SSL only from trusted, administrative networks or hosts.


Software Releases, patches and updates are available at

Modification History:

    2018-04-11: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins