Knowledge Center Search


 

2013-09 Security Bulletin: Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC): Crafted packet can cause denial of service

  [JSA10590] Show KB Properties

  [JSA10590] Hide KB Properties

Categories:
Security Advisories ID: JSA10590
Last Updated: 24 Sep 2013
Version: 2.0

Product Affected:
SA 4000, SA 6000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG6610 with SM360 blade, MAG6611 with SM360 blade, IC6500, and the following IC platforms do not come with the card by default, but it can be added to the systems: IC4000, IC4500, IC6000, and FIPS IC6500

Problem:
A denial of service (DoS) issue has been found on the Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC) devices. This issue can cause the system to hang ultimately requiring a restart to bring the system back into service. This issue only applies to devices that contain the hardware SSL acceleration card and have it enabled.

This issue was found during security testing and reported to Juniper by a third party security researcher who utilized responsible disclosure when reporting this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

Solution:
Software updates to IVE OS and UAC OS have been released to resolve this issue. Releases containing the fix include IVE OS 7.1r15, 7.2r10, 7.3r6, and 7.4r3 and UAC 4.1r8.1, 4.2r5, 4.3r6 and 4.4r3.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:
Disabling the hardware SSL acceleration card will prevent this issue from occurring.

Console directions: To disable the hardware SSL acceleration card via console, first connect to the console port, then choose option "10" from the menu, which is "10. Toggle SSL HW Acceleration (system will reboot when this setting is modified)"

Admin page directions: To disable the hardware SSL acceleration card via admin page (https), log into the SSL VPN admin page, then go to: Maintenance --> System --> Options, uncheck the following option:

Use SSL acceleration to offload SSL operations from the main CPU. This can significantly improve performance.

Implementation:
 

Related Links:

CVSS Score:
7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Risk Level:
High

Acknowledgements:
 Juniper SIRT would like to acknowledge and thank Kenny Herold for responsibly reporting this vulnerability.

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.