Operating System:

[Juniper]

Published:

16 October 2014

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2014.1857 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1857
         2014-10 Out of Cycle Security Bulletin: Multiple products
          affected by SSL "POODLE" vulnerability (CVE-2014-3566)
                              16 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
                   Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series
                   ScreenOS
                   Junos Space
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Confidential Data -- Remote with User Interaction
                   Reduced Security         -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3566  

Reference:         ASB-2014.0122
                   ESB-2014.1849

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL 
"POODLE" vulnerability (CVE-2014-3566)

Categories:

    Junos

    Router Products

    Security Products

    Switch Products

    SSL_VPN_(IVE_OS)

    ScreenOS

    SIRT Advisory

Security Advisories ID: JSA10656

Last Updated: 15 Oct 2014

Version: 2.0

Product Affected:

Various products. Please see the list in the Problem section below.

Problem:

The SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier
for man-in-the-middle attackers to obtain cleartext data via a padding-oracle
attack. This issue is also known as the "POODLE" vulnerability.

SSL v3 is an older security protocol with known issues, but still exists as a
fallback protocol on many devices.

Vulnerable Products

    Junos OS

    Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series

    ScreenOS

    Junos Space

Juniper is investigating our product portfolio for affected software that is 
not mentioned above. As new information becomes available this document will 
be updated.

This issue has been assigned CVE-2014-3566.

Solution:

Junos:

Junos OS will include an update to OpenSSL in a future release.

Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series:

Please refer to Pulse Secure TSB16540 for details on mitigating risk from this
vulnerability.

ScreenOS:

A problem report has been submitted. Development is in the process of 
evaluating the best method to resolve this issue.

Junos Space:

Disable SSLv3 by changing the following files.

/etc/httpd/conf.d/webProxy.conf

/etc/httpd/conf.d/ssl.conf

/etc/httpd/conf.d/webConf/webProxyCertAuth.conf

The following line needs to be updated to remove references to SSLv3:

Original:

SSLProtocol -ALL +SSLv3 +TLSv1

Updated:

SSLProtocol -ALL +TLSv1

Restart httpd by typing 'service httpd restart'.

Workaround:

Junos:

Since SSL is used for remote network configuration and management applications
such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for
this issue in Junos may include:

    Disabling J-Web

    Disable SSL service for JUNOScript and only use Netconf, which makes use 
    of SSH, to make configuration changes

    Limit access to J-Web and XNM-SSL from only trusted networks

Implementation:

Modification History:

2014-10-15: Initial release

2014-10-15: Added CVSS score

Related Links:

    Google Blog: Exploiting the SSL 3.0 fallback

    TSB16540: Pulse Secure: Connect Secure (SA / SSL VPN) / Policy Secure (IC
    / UAC): How to disable SSLv3 to mitigate any potential risks from the 
    Poodle vulnerability

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-3566: SSLv3 vulnerable to padding-oracle downgrade attack (aka. 
    "POODLE")

CVSS Score:

4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Risk Level:

Low

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVD8jAxLndAQH1ShLAQJtrA/8CzUU2OviCcm7MltlwxkLmbHzHGZ9eaZk
jomEb5Fq3kMJ4hlwWUSZepAPx3xJ6dmjJQ7xtIXxjvafK/Vhbi4Cn2ifeW4VQL1N
Oj0j6wdjfIHjhRVM2bbizZWkq7f/SeHgW6oaZSfDZ9e/7TQekyGxODgUmoMiLsdR
SsP1ExpTf2dI2b1boocD+gP0QL+SaGyYneaBsxXEVkgjtpBv0R/K9HWrivtBZJ00
FXDNt65Ov0fgDZHGYsTduFEIdv/4kOCRUYShICiXWd5UH0AqzatqS31NG+7KcCGf
5cjpDw/+Qc+kMH/28xWmLGFOXt4EKLL9iUYKmks7qFwgU1IfK31trzcAxoo8fVwn
4RVGYsu/2uxVKf8tps69ucAt647byxGbUi/XDpm9FhII0mgJRbAwcA5p6ho28vdC
1/IzDT13XiqUEvDhKHlzN+2VEzYEfBV6l/eL7gSBOMBUvyf+CmF7D77gKwHGZJZC
Bk2jRcxi1wjvmwZ+k+3uzE4yB0SVTzKejiDijpqHg6MTeTiNK2OrmoRPSLIVPI/7
QAj6Gnppq6l/pqHcbnaCuOHae7JiLZFV/Aa6pQ7Zyzlb9loM9+2jz6rsnBvU3K6+
jgWRLFVinBTtbOaU/faGS6rCMz8zzxdFN2hvqcuLaWqSa1/rB1+vfVInax9KD081
Pepkv9IshPg=
=4P3j
-----END PGP SIGNATURE-----