copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0690 - [Juniper] Juniper ScreenOS, Juniper STRM/JSA Series, Juniper WLC Wireless LAN Controller: Access privileged data - Remote/unauthenticated

Date: 15 March 2016
References: ESB-2016.0543.2  ESB-2016.0544  ESB-2016.0547  ESB-2016.0560  ESB-2016.0569  ESB-2016.0587  ESB-2016.0601  ESB-2016.0634  ESB-2016.0636  ESB-2016.0650  
ESB-2016.0756  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0690
     Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
                               15 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper ScreenOS
                   Juniper STRM/JSA Series
                   Juniper WLC Wireless LAN Controller
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-0800  

Reference:         ESB-2016.0650
                   ESB-2016.0636
                   ESB-2016.0634
                   ESB-2016.0601
                   ESB-2016.0587
                   ESB-2016.0569
                   ESB-2016.0560
                   ESB-2016.0547
                   ESB-2016.0544
                   ESB-2016.0543.2

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10722

- --------------------------BEGIN INCLUDED TEXT--------------------

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)

Categories:

    STRM Series

    Firewalls ISG/NS/SSG Series

    ScreenOS

    WLC Series

    JSA Series

    SIRT Advisory

Security Advisories ID: JSA10722

Last Updated: 14 Mar 2016

Version: 1.0

Product Affected:

Refer to Problem section below.

Problem:

On March 1, 2016, a cross-protocol attack was announced by OpenSSL that could
lead to decryption of TLS sessions by using a server supporting SSLv2 and 
EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic
between clients and non-vulnerable servers can be decrypted provided another 
server supporting SSLv2 and EXPORT ciphers (even with a different protocol 
such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. 
This vulnerability is known as DROWN (CVE-2016-0800).

SSLv2 is a very old security protocol with known issues, but still exists as a
fallback protocol on many devices.

Vulnerable Products

    ScreenOS

    STRM/JSA Series

    WLC Wireless LAN Controller

Products Not Vulnerable

    Junos OS

    Junos Space

    JunosE

    QFabric Director

    Standalone IDP

    NSM (server and NSM4000, NSM3000, NSMXpress appliance)

    WLAN RingMaster

    WLAN SmartPass

Juniper is continuing to investigate our product portfolio for affected 
software that is not mentioned above. As new information becomes available 
this document will be updated.

This issue has been assigned CVE-2016-0800.

Solution:

ScreenOS:

Starting with ScreenOS 6.3.0r19, SSLv2 and SSLv3 can both be manually disabled
via the 'unset ssl ssl3' CLI command.

STRM/JSA Series:

Fixes will be available in STRM versions 2014.6.r4 and 2013.2.r14.

Solutions for other vulnerable products will be added as they become 
available.

Workaround:

Follow security best current practices by limiting the exploitable attack 
surface of critical infrastructure networking equipment. Use access lists or 
firewall filters to limit access to networking devices via SSL only from 
trusted, administrative networks or hosts.

Alternately, use a firewall filter to block all incoming SSLv2 traffic.

Implementation:

Modification History:

2016-03-14: Initial publication

Related Links:

    OpenSSL Security Advisory [1st March 2016]

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-yyyy-xxxx: Cross-protocol attack on TLS using SSLv2 (DROWN)

CVSS Score:

4.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N)

Risk Level:

Low

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVud/5H6ZAP0PgtI9AQLKjRAAiHREJ355c6ev6uHsMv+AwXeNMjWjdPdA
nVpwHPj9bhVDL9YUVDGW1y6ETVoXEvBxb2i3Yg5TwaRFfGQsuPlyq207qjx/c14Y
5dcao5QOk5unLWLYY0ctVtpsek1mqxFppDb2frS1zgo8mV8aC47aG2Yn2LQ+yqDx
vGOzfCgXvqBUFkXj74qmH+QBeUiCQgBMu8L9Us9p5LYBhnDskcjHhOi2MNasQtH9
oER1SH2zENsCrb9bKPe83SD0yWpHve7xJGWYqIjrhQ3xtfrmLd+cehWTHlSllgyO
/Chg0OWqpl+lU9Pg6AMz1dz9CGoDu1g1Ma/XMi8lCd2B02FZQAE4XnMywErVAQ6E
jufPlHynQg97Hb3dgbPYfh8BNFOb1+RcqnmYkiwKO92kttJHJgCZjOQXSfIk3P1T
1oWrI2SIU0CCAbWfI7lPuVfAn75vzoZkp9rYON+bpR8gqD4TSRzGhlcvanzACOw8
tB2xsc/zx0rsHg8V7w/z5mR1RIltpGATu64B6wEqm/NZ5i2fVb6EpU/dvDCQRv4s
mgaCi1X8/r38JtSLA+v8XVZ7IDaYL0sKAUHMsvjjq6iTpwwb4Mn+62NgHW8aJOyO
yHD37tTDgbBmXDWAOC/i0hqlw4Vl7pOAylZek3FpwshqsgXwIkdck2Gd0KM3LhpC
zf7GRnQBZPA=
=GDkw
-----END PGP SIGNATURE-----