Knowledge Center Search


 

2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL "Heartbleed" issue (CVE-2014-0160)

  [JSA10623] Show KB Properties

  [JSA10623] Hide KB Properties

Categories:
Security Advisories ID: JSA10623
Last Updated: 30 Apr 2014
Version: 43.0

Product Affected:
Various products: Please see the list in the problem section

Problem:
 The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.

Status of different OpenSSL versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Products

  • Junos OS 13.3R1 (Fixed code is listed in the "Solution" section)
  • SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the "Solution" section)
  • UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the "Solution" section)
  • Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later (Fixed code is listed in the "Solution" section)
  • Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the "Solution" section)
  • Junos Pulse (Mobile) on Android version 4.2R1 and higher. (Fixed code is listed in the "Solution" section)
  • Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the "Solution" section)
  • WebApp Secure (Fixed code is listed in the "Solution" section)
  • Odyssey client 5.6r5 and later (Fixed code is listed in the "Solution" section)



Products Not Vulnerable
  • Junos OS 13.2 and earlier is not vulnerable
  • Non-FIPS version of Network Connect clients are not vulnerable
  • SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable
  • SRX Series is not vulnerable
  • Junos Space is not vulnerable
  • NSM is not vulnerable
  • Pulse 4.0r4 and earlier is not vulnerable
  • QFabric Director is not vulnerable
  • CTPView is not vulnerable
  • vGW/FireFly Host is not vulnerable
  • Firefly Perimeter is not vulnerable
  • ScreenOS is not vulnerable
  • UAC 4.3, 4.2, and 4.1 are not vulnerable
  • JUNOSe is not vulnerable
  • Odyssey client 5.6r4 and earlier are not vulnerable
  • Junos Pulse (Mobile) on iOS (Non-FIPS Mode)
  • WX-Series is not vulnerable
  • Junos DDoS Secure is not vulnerable
  • STRM/JSA is not vulnerable
  • Media Flow Controller is not vulnerable
  • SBR Carrier is not vulnerable
  • SBR Enterprise is not vulnerable
  • Junos Pulse Mobile Security Suite is not vulnerable
  • SRC Series is not vulnerable
  • Junos Pulse Endpoint Profiler is not vulnerable
  • Smart Pass is not vulnerable
  • Ring Master is not vulnerable
  • ADC is not vulnerable
  • Stand Alone IDP is not vulnerable
  • CX-Series is not vulnerable
  • WL-Series is not vulnerable
  • J-Series is not vulnerable


Products currently under investigation

  • No products

Juniper continues to investigate this issue and as new information becomes available this document will be updated.

This issue has been assigned CVE-2014-0160.

Solution:

SSL VPN (IVEOS)
:
Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.3. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29004

UAC:
Juniper Networks has released UAC 5.0r3.2. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007
Juniper Networks has released UAC 4.4r10. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007

Odyssey client:
See UAC section as the client update with the fix is pushed from the UAC server. 

Junos:
Juniper Networks has released Junos OS 13.3R1.8 to resolve this issue.
Customers are encouraged to upgrade to 13.3R1.8 from earlier versions of 13.3R1 to resolve this issue.

Junos Pulse (Desktop):
Juniper Networks has released Pulse Desktop 5.0R3.1 and Pulse Desktop 4.0R9.2. For more information surrounding this issue for this client please see KB: http://kb.juniper.net/KB29004

Junos Pulse (Mobile):
Juniper Networks has released Junos Pulse for Android version 5.0R3 (44997) which is now available for download on the Google Play Store.
Juniper Networks has released Junos Pulse for Apple iOS version 5.0.3.44999 which is available for download from Apple App Store.

WebApp Secure:
Juniper has pushed a software update (5.1.3-30) to systems that will resolve this issue. Please initiate the upgrade to resolve this issue. Release Notes

IDP Signatures:
Juniper has released signatures to detect this issue. The signature released to address Heartbleed vulnerability has been added to a separate category. The signature has NOT been added to the "Recommended" predefined attack group. Please see the following link for more information about our signatures for this issue: http://forums.juniper.net/t5/Security-Mobility-Now/FAQ-Protecting-your-OpenSSL-Server-from-HeartBleed-using-IDP/ba-p/238256

Sigpack 2362 released:
https://signatures.juniper.net/restricted/sigupdates/nsm-updates/updates.xml
https://signatures.juniper.net/restricted/sigupdates/nsm-updates/2362.html

SSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:
http://signatures.juniper.net/documentation/signatures/SSL%3AOPENSSL-TLS-DTLS-HEARTBEAT.html

DI Signatures:
At this point in time there is no plan to offer DI signatures for this issue. 

Note: This advisory will be updated as new information is made available.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:
Junos:
  • Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
    • Disabling J-Web
    • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
    • Limit access to J-Web and XNM-SSL from only trusted networks

SSL VPN/UAC:
  • Other than downgrading to an unaffected release, there are no workarounds for this issue.

Implementation:
 

Related Links:

CVSS Score:
9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N)

Risk Level:
Critical

Risk Assessment:
We consider this to be a critical issue. The sensitive information potentially exposed by this issue can be leveraged to further compromise the system. Exploits are known to exist in the wild. Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Acknowledgements:
 

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.