Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

  JSA10679 - 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory
                              1 December 2020


        AusCERT Security Bulletin Summary

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Reduced Security               -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0206 CVE-2015-0205 CVE-2015-0204
                   CVE-2014-8275 CVE-2014-3572 CVE-2014-3571
                   CVE-2014-3570 CVE-2014-3569 CVE-2014-3568

Reference:         ESB-2015.0812

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory

Article ID  : JSA10679
Last Updated: 30 Nov 2020
Version     : 6.0

Product Affected:
Multiple products.

OpenSSL project has published a security advisory for vulnerabilities resolved
in the OpenSSL library on January 8th 2015:

     CVE      CVSS v2 base score                    Summary
CVE-2014-3569 5.0 (AV:N/AC:L/    OpenSSL denial of service (NULL pointer
              Au:N/C:N/I:N/A:P)  dereference and daemon crash) vulnerability.
CVE-2014-3570 5.0 (AV:N/AC:L/    OpenSSL cryptographic error related to BN_sqr
              Au:N/C:P/I:N/A:N)  implementation.
CVE-2014-3572 5.0 (AV:N/AC:L/    OpenSSL ECDHE-to-ECDH downgrade attack
              Au:N/C:N/I:P/A:N)  vulnerability.
CVE-2014-8275 5.0 (AV:N/AC:L/    OpenSSL weak fingerprint-based
              Au:N/C:N/I:P/A:N)  certificate-blocklist protection mechanism.
CVE-2015-0204 5.0 (AV:N/AC:L/    OpenSSL client RSA-to-EXPORT_RSA downgrade
              Au:N/C:N/I:P/A:N)  attack, related to the "FREAK" issue.
CVE-2015-0205 5.0 (AV:N/AC:L/    OpenSSL insufficient Diffie-Hellman (DH)
              Au:N/C:N/I:P/A:N)  certificate verification.

In addition to the above this OpenSSL advisory also lists CVE-2014-3571 and
CVE-2015-0206 which only affect DTLS protocol which is not used in any Juniper
product. Hence these two CVEs do not affect any Juniper product.

Vulnerable Products:

  o Junos OS is potentially affected by one or more of the vulnerabilities.
    Junos J-Web interface is not vulnerable to the "FREAK" issue, however Junos
    client side components that utilize OpenSSL to connect to vulnerable
    servers may be at risk for FREAK vulnerability. Servers hosted by Juniper
    that Junos devices can connect to using SSL/TLS for updates are not
    vulnerable to the "FREAK" issue.
  o CTP software is potentially vulnerable to one or more vulnerabilities.
  o ScreenOS is potentially vulnerable to only CVE-2014-8275 and CVE-2015-0205.
    Rest of the CVEs in this advisory do not affect ScreenOS.
  o Junos Space is potentially vulnerable to one or more vulnerabilities.
  o NSM is potentially vulnerable to one or more vulnerabilities.
  o DDoS Secure is potentially affected by one or more vulnerabilities.
  o IDP is potentially affected by one or more of the vulnerabilities.
  o Pulse Secure: please refer to KB29833 .
  o SBR Carrier is potentially affected by one or more of the vulnerabilities.
  o SRC Series versions prior to 4.8 are vulnerable only to CVE-2015-0204 when
    HTTPS Redirect Server feature is enabled.
  o vGW is potentially affected by one or more of the vulnerabilities.
  o RingMaster Appliance is potentially affected by one or more of the

Products not vulnerable:

  o Smartpass does not use OpenSSL and is not vulnerable.
  o RingMaster Software does not use OpenSSL and is not vulnerable.

As new information becomes available on products that are not listed above,
this document will be updated.


  o Junos OS: These issues are resolved in: Junos OS 12.1X44-D50, 12.1X46-D35,
    12.1X47-D25, 12.3R10, 12.3X48-D10, 13.2R8, 13.3R6 14.1R5, 14.1X53-D35,
    14.2R3, and all subsequent releases (PR 1055295).
  o CTP: These issues are resolved in: CTPOS 7.1R1, 7.0R4, 6.6R5, CTPView 7.1R1
    and all subsequent releases (PR 1068919, 1068918).
  o NSM: OpenSSL library is to be upgraded in 2012.2R11 (pending release) (PR
  o DDoS Secure: OpenSSL library is upgraded in the next DDoS Secure software
    update is pending release (PR 1072982).
  o IDP: OpenSSL library is to be upgraded in the next DDoS Secure software
    update is pending release (PR 1072987).
  o Junos Space: A resolution is pending (PR 1069102).
  o SBR Carrier: A resolution is pending (PR 1072991).
  o SRC Series: These issues are resolved in SRC version 4.8, which has an
    updated version of OpenSSL that is not vulnerable to any of the issues
    above. (PR 1073259).
  o ScreenOS: A resolution is pending (PR 1057485).
  o vGW: A resolution is pending (PR 1073007).
  o RingMaster Appliance: A resolution is pending (PR 1073266).


Standard security best current practices (control plane firewall filters, edge
filtering, access lists, etc.) may protect against any remote malicious

  o Junos OS: Since SSL is used for remote network configuration and management
    applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable
    workarounds for this issue in Junos may include:
       Disabling J-Web.
       Disable SSL service for JUNOScript and only use Netconf, which makes
        use of SSH, to make configuration changes.
       Limit access to J-Web and XNM-SSL from only trusted networks.
  o ScreenOS: A temporary workaround for the server side of ScreenOS you can
    disable the HTTPS web user interface and the WebAuth feature. If you
    disable the HTTPS user interface you would be required to do configuration
    management over command line (SSH). The command to disable SSL is the
    following: unset ssl enable
  o SRC Series: Disable HTTPS Redirect Server feature, if not required.

Software releases or updates are available at https://www.juniper.net/support/
downloads/ .
Modification History:

2015-04-08: Initial release
2015-05-20: Included SRC series solution and workaround; updated Junos resolution status.
2018-10-26: Added 14.1X53-D35 as resolved release and QFX5100 as affected platform2
2020-11-20: Updated terminology

CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Severity Level:
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967