Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4252 JSA10679 - 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory 1 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-0206 CVE-2015-0205 CVE-2015-0204 CVE-2014-8275 CVE-2014-3572 CVE-2014-3571 CVE-2014-3570 CVE-2014-3569 CVE-2014-3568 Reference: ESB-2015.0812 ESB-2015.0810 ESB-2015.0786 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679 - --------------------------BEGIN INCLUDED TEXT-------------------- 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory Article ID : JSA10679 Last Updated: 30 Nov 2020 Version : 6.0 Product Affected: Multiple products. Problem: OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 8th 2015: CVE CVSS v2 base score Summary CVE-2014-3569 5.0 (AV:N/AC:L/ OpenSSL denial of service (NULL pointer Au:N/C:N/I:N/A:P) dereference and daemon crash) vulnerability. CVE-2014-3570 5.0 (AV:N/AC:L/ OpenSSL cryptographic error related to BN_sqr Au:N/C:P/I:N/A:N) implementation. CVE-2014-3572 5.0 (AV:N/AC:L/ OpenSSL ECDHE-to-ECDH downgrade attack Au:N/C:N/I:P/A:N) vulnerability. CVE-2014-8275 5.0 (AV:N/AC:L/ OpenSSL weak fingerprint-based Au:N/C:N/I:P/A:N) certificate-blocklist protection mechanism. CVE-2015-0204 5.0 (AV:N/AC:L/ OpenSSL client RSA-to-EXPORT_RSA downgrade Au:N/C:N/I:P/A:N) attack, related to the "FREAK" issue. CVE-2015-0205 5.0 (AV:N/AC:L/ OpenSSL insufficient Diffie-Hellman (DH) Au:N/C:N/I:P/A:N) certificate verification. In addition to the above this OpenSSL advisory also lists CVE-2014-3571 and CVE-2015-0206 which only affect DTLS protocol which is not used in any Juniper product. Hence these two CVEs do not affect any Juniper product. Vulnerable Products: o Junos OS is potentially affected by one or more of the vulnerabilities. Junos J-Web interface is not vulnerable to the "FREAK" issue, however Junos client side components that utilize OpenSSL to connect to vulnerable servers may be at risk for FREAK vulnerability. Servers hosted by Juniper that Junos devices can connect to using SSL/TLS for updates are not vulnerable to the "FREAK" issue. o CTP software is potentially vulnerable to one or more vulnerabilities. o ScreenOS is potentially vulnerable to only CVE-2014-8275 and CVE-2015-0205. Rest of the CVEs in this advisory do not affect ScreenOS. o Junos Space is potentially vulnerable to one or more vulnerabilities. o NSM is potentially vulnerable to one or more vulnerabilities. o DDoS Secure is potentially affected by one or more vulnerabilities. o IDP is potentially affected by one or more of the vulnerabilities. o Pulse Secure: please refer to KB29833 . o SBR Carrier is potentially affected by one or more of the vulnerabilities. o SRC Series versions prior to 4.8 are vulnerable only to CVE-2015-0204 when HTTPS Redirect Server feature is enabled. o vGW is potentially affected by one or more of the vulnerabilities. o RingMaster Appliance is potentially affected by one or more of the vulnerabilities. Products not vulnerable: o Smartpass does not use OpenSSL and is not vulnerable. o RingMaster Software does not use OpenSSL and is not vulnerable. As new information becomes available on products that are not listed above, this document will be updated. Solution: o Junos OS: These issues are resolved in: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R10, 12.3X48-D10, 13.2R8, 13.3R6 14.1R5, 14.1X53-D35, 14.2R3, and all subsequent releases (PR 1055295). o CTP: These issues are resolved in: CTPOS 7.1R1, 7.0R4, 6.6R5, CTPView 7.1R1 and all subsequent releases (PR 1068919, 1068918). o NSM: OpenSSL library is to be upgraded in 2012.2R11 (pending release) (PR 1069107). o DDoS Secure: OpenSSL library is upgraded in the next DDoS Secure software update is pending release (PR 1072982). o IDP: OpenSSL library is to be upgraded in the next DDoS Secure software update is pending release (PR 1072987). o Junos Space: A resolution is pending (PR 1069102). o SBR Carrier: A resolution is pending (PR 1072991). o SRC Series: These issues are resolved in SRC version 4.8, which has an updated version of OpenSSL that is not vulnerable to any of the issues above. (PR 1073259). o ScreenOS: A resolution is pending (PR 1057485). o vGW: A resolution is pending (PR 1073007). o RingMaster Appliance: A resolution is pending (PR 1073266). Workaround: Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks. o Junos OS: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web. Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes. Limit access to J-Web and XNM-SSL from only trusted networks. o ScreenOS: A temporary workaround for the server side of ScreenOS you can disable the HTTPS web user interface and the WebAuth feature. If you disable the HTTPS user interface you would be required to do configuration management over command line (SSH). The command to disable SSL is the following: unset ssl enable o SRC Series: Disable HTTPS Redirect Server feature, if not required. Implementation: Software releases or updates are available at https://www.juniper.net/support/ downloads/ . Modification History: 2015-04-08: Initial release 2015-05-20: Included SRC series solution and workaround; updated Junos resolution status. 2018-10-26: Added 14.1X53-D35 as resolved release and QFX5100 as affected platform2 2020-11-20: Updated terminology CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Severity Level: Medium Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX8X6OONLKJtyKPYoAQhYaQ//a+/45iTxtF6osOAn75AUzvHC5eWFsMTV LSdx+bgjdN+u5IDk3/WrVXZozN8sRW6X7HJXsSLoN6Z+N1Wa8UC1NigHjvpv8ELB rkoteuyhybYf2Z5ULAOgBPrSluOtew29peP+nT4Pc8+8EhrJXUTHt1ADitixpJgE auj24zVYCRxmVvEtvJqxcJ56sDEbI39b1vtS1sE/QjHVq8Dt0myFG526WGKxEXIu Q+lBad8KqHc1RvTrvLN/y3qF0GDazQa23zbSN7a8K3ysyD5e1j9vy+j00DY6sLiF z/yaT1AbVEw3x3wqCvuqLrUKvWNSHa22bK/mHXVFlOWsxcC7BJEuShS7KnAxQjq8 0e/rMUk08wUyAwfwIvb+910sMOM1gwbFvhmcWQlPLi+3bUud8FNmn2Hr49If83/f cmJ6lI9V+r1BB3M3FBpYiuAJ56wcezNyapVcXDkqXjiicwUvMhYKa/Vi4LvdTDrI loawjh6b3suMA1gB4n5lvAaUeP7OCtqYJ1itcg1e/lId2veNl7+NTckj7CY7yVB9 AeFNtZO+kgIqMDi9fokGmcX0YOJlqepFMRJ1C5jwl+G1x+nZocJBHhMklYP1nIAx lXyJLM6nmwFue2TjaQo2y4ndZFqcUvGQfmnkFTU0OHZjUL6m0ljizMUfpLVgf8Sk zoLXyls3dmo= =9C15 -----END PGP SIGNATURE-----