Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4252
JSA10679 - 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory
1 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-0206 CVE-2015-0205 CVE-2015-0204
CVE-2014-8275 CVE-2014-3572 CVE-2014-3571
CVE-2014-3570 CVE-2014-3569 CVE-2014-3568
Reference: ESB-2015.0812
ESB-2015.0810
ESB-2015.0786
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679
- --------------------------BEGIN INCLUDED TEXT--------------------
2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory
Article ID : JSA10679
Last Updated: 30 Nov 2020
Version : 6.0
Product Affected:
Multiple products.
Problem:
OpenSSL project has published a security advisory for vulnerabilities resolved
in the OpenSSL library on January 8th 2015:
CVE CVSS v2 base score Summary
CVE-2014-3569 5.0 (AV:N/AC:L/ OpenSSL denial of service (NULL pointer
Au:N/C:N/I:N/A:P) dereference and daemon crash) vulnerability.
CVE-2014-3570 5.0 (AV:N/AC:L/ OpenSSL cryptographic error related to BN_sqr
Au:N/C:P/I:N/A:N) implementation.
CVE-2014-3572 5.0 (AV:N/AC:L/ OpenSSL ECDHE-to-ECDH downgrade attack
Au:N/C:N/I:P/A:N) vulnerability.
CVE-2014-8275 5.0 (AV:N/AC:L/ OpenSSL weak fingerprint-based
Au:N/C:N/I:P/A:N) certificate-blocklist protection mechanism.
CVE-2015-0204 5.0 (AV:N/AC:L/ OpenSSL client RSA-to-EXPORT_RSA downgrade
Au:N/C:N/I:P/A:N) attack, related to the "FREAK" issue.
CVE-2015-0205 5.0 (AV:N/AC:L/ OpenSSL insufficient Diffie-Hellman (DH)
Au:N/C:N/I:P/A:N) certificate verification.
In addition to the above this OpenSSL advisory also lists CVE-2014-3571 and
CVE-2015-0206 which only affect DTLS protocol which is not used in any Juniper
product. Hence these two CVEs do not affect any Juniper product.
Vulnerable Products:
o Junos OS is potentially affected by one or more of the vulnerabilities.
Junos J-Web interface is not vulnerable to the "FREAK" issue, however Junos
client side components that utilize OpenSSL to connect to vulnerable
servers may be at risk for FREAK vulnerability. Servers hosted by Juniper
that Junos devices can connect to using SSL/TLS for updates are not
vulnerable to the "FREAK" issue.
o CTP software is potentially vulnerable to one or more vulnerabilities.
o ScreenOS is potentially vulnerable to only CVE-2014-8275 and CVE-2015-0205.
Rest of the CVEs in this advisory do not affect ScreenOS.
o Junos Space is potentially vulnerable to one or more vulnerabilities.
o NSM is potentially vulnerable to one or more vulnerabilities.
o DDoS Secure is potentially affected by one or more vulnerabilities.
o IDP is potentially affected by one or more of the vulnerabilities.
o Pulse Secure: please refer to KB29833 .
o SBR Carrier is potentially affected by one or more of the vulnerabilities.
o SRC Series versions prior to 4.8 are vulnerable only to CVE-2015-0204 when
HTTPS Redirect Server feature is enabled.
o vGW is potentially affected by one or more of the vulnerabilities.
o RingMaster Appliance is potentially affected by one or more of the
vulnerabilities.
Products not vulnerable:
o Smartpass does not use OpenSSL and is not vulnerable.
o RingMaster Software does not use OpenSSL and is not vulnerable.
As new information becomes available on products that are not listed above,
this document will be updated.
Solution:
o Junos OS: These issues are resolved in: Junos OS 12.1X44-D50, 12.1X46-D35,
12.1X47-D25, 12.3R10, 12.3X48-D10, 13.2R8, 13.3R6 14.1R5, 14.1X53-D35,
14.2R3, and all subsequent releases (PR 1055295).
o CTP: These issues are resolved in: CTPOS 7.1R1, 7.0R4, 6.6R5, CTPView 7.1R1
and all subsequent releases (PR 1068919, 1068918).
o NSM: OpenSSL library is to be upgraded in 2012.2R11 (pending release) (PR
1069107).
o DDoS Secure: OpenSSL library is upgraded in the next DDoS Secure software
update is pending release (PR 1072982).
o IDP: OpenSSL library is to be upgraded in the next DDoS Secure software
update is pending release (PR 1072987).
o Junos Space: A resolution is pending (PR 1069102).
o SBR Carrier: A resolution is pending (PR 1072991).
o SRC Series: These issues are resolved in SRC version 4.8, which has an
updated version of OpenSSL that is not vulnerable to any of the issues
above. (PR 1073259).
o ScreenOS: A resolution is pending (PR 1057485).
o vGW: A resolution is pending (PR 1073007).
o RingMaster Appliance: A resolution is pending (PR 1073266).
Workaround:
Standard security best current practices (control plane firewall filters, edge
filtering, access lists, etc.) may protect against any remote malicious
attacks.
o Junos OS: Since SSL is used for remote network configuration and management
applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable
workarounds for this issue in Junos may include:
Disabling J-Web.
Disable SSL service for JUNOScript and only use Netconf, which makes
use of SSH, to make configuration changes.
Limit access to J-Web and XNM-SSL from only trusted networks.
o ScreenOS: A temporary workaround for the server side of ScreenOS you can
disable the HTTPS web user interface and the WebAuth feature. If you
disable the HTTPS user interface you would be required to do configuration
management over command line (SSH). The command to disable SSL is the
following: unset ssl enable
o SRC Series: Disable HTTPS Redirect Server feature, if not required.
Implementation:
Software releases or updates are available at https://www.juniper.net/support/
downloads/ .
Modification History:
2015-04-08: Initial release
2015-05-20: Included SRC series solution and workaround; updated Junos resolution status.
2018-10-26: Added 14.1X53-D35 as resolved release and QFX5100 as affected platform2
2020-11-20: Updated terminology
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX8X6OONLKJtyKPYoAQhYaQ//a+/45iTxtF6osOAn75AUzvHC5eWFsMTV
LSdx+bgjdN+u5IDk3/WrVXZozN8sRW6X7HJXsSLoN6Z+N1Wa8UC1NigHjvpv8ELB
rkoteuyhybYf2Z5ULAOgBPrSluOtew29peP+nT4Pc8+8EhrJXUTHt1ADitixpJgE
auj24zVYCRxmVvEtvJqxcJ56sDEbI39b1vtS1sE/QjHVq8Dt0myFG526WGKxEXIu
Q+lBad8KqHc1RvTrvLN/y3qF0GDazQa23zbSN7a8K3ysyD5e1j9vy+j00DY6sLiF
z/yaT1AbVEw3x3wqCvuqLrUKvWNSHa22bK/mHXVFlOWsxcC7BJEuShS7KnAxQjq8
0e/rMUk08wUyAwfwIvb+910sMOM1gwbFvhmcWQlPLi+3bUud8FNmn2Hr49If83/f
cmJ6lI9V+r1BB3M3FBpYiuAJ56wcezNyapVcXDkqXjiicwUvMhYKa/Vi4LvdTDrI
loawjh6b3suMA1gB4n5lvAaUeP7OCtqYJ1itcg1e/lId2veNl7+NTckj7CY7yVB9
AeFNtZO+kgIqMDi9fokGmcX0YOJlqepFMRJ1C5jwl+G1x+nZocJBHhMklYP1nIAx
lXyJLM6nmwFue2TjaQo2y4ndZFqcUvGQfmnkFTU0OHZjUL6m0ljizMUfpLVgf8Sk
zoLXyls3dmo=
=9C15
-----END PGP SIGNATURE-----