Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

IKE version 1 vulnerability issues resulting from OUSPG ISAKMP Test Suite (NISCC/ISAKMP/273756)

0

0

Article ID: JSA10356 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 7.0
Legacy Advisory Id:
PSN-2005-11-007
Product Affected:
All Juniper Networks M/T/J/E-series routers; NetScreen firewalls running ScreenOS software.
Problem:

The University of Oulu Security Programming Group (OUSPG) has developed an ISAKMP Test Suite for IKE version 1 Phase 1, a key component of the IPSec encryption and security protocol. The IKE protocol implementation in JUNOS, JUNOSe, ScreenOS and Netscreen Remote software is vulnerable to certain test cases in the test suite provided by OUSPG.

For more details about this vulnerability, see the NISCC website link in the Related Links section of this bulletin.

This issue is tracked internally as CQ 68020 for JUNOSe software, bug 07844 for ScreenOS software, and PR/61076 and PR/61779 for JUNOS software.

Solution:

Changes have been made in the JUNOSe, JUNOS and ScreenOS software that resolve the potential vulnerability exposed by the OUSPG ISAKMP/IKE test suite.

In addition, Juniper Networks agrees with the mitigation recommendations in the NISCC advisory.

Implementation:

The following currently available ScreenOS software (used on Netscreen firewall and VPN products) releases contain modified code that provides fixes for the IKE security protocol:

4.0.0r13a for the 100

4.0.3r9a.0 for 5xp, 5xt, 25, 50, 200, 500, 5200-8G

5.0.0r10a for the ISG-1000 and ISG-2000

5.0.0r11.0 for 5xp, 5xt, 25, 50, 204, 208, 500, 5200/5400-M1 using 8g or 24FE

5.0.0r11.1 for 5gt, 5gt-WLAN, 5gt-ADSL

5.0.0-M2.r9a for the 5200-M2/5400-M2 using 8G or 24FE line cards

5.1.0r4b.0 for 5xt, 5gt, 50, 200, 500, 5000 (doesn't cover ns5xp)

5.2.0r3 for 5xt, 5gt, 5gt-ADSL, 25, 50, 204, 208, 500, ISG-2000, 5200/5400-M1, 5200/5400-M2

ScreenOS versions not specifically listed are under investigation.

NetScreen-Remote 8.7 VPN client contains modified code that provides fixes for the IKE security protocol.

The following JUNOSe software (used on E-series routers) releases contain modified code that provides fixes for the IKE security protocol: 5-2-4p0-8, 5-2-5, 5-3-4p0-5, 6-0-2p0-5, 6-0-3, 6-1-1p0-7, 6-1-2, 7-0-0p0-1, 7-0-1, 7-1-0.

All JUNOS software (for M/T/J-series routers) for Releases 6.4 and later releases built on or after July 28, 2005 contains modified code that provides fixes for the IKE security protocol.

Severity Level:
High
Severity Assessment:
Juniper Networks JUNOS, JUNOSe and ScreenOS software is susceptible to certain IPSec ISAKMP/IKE vulnerabilities as exposed by the OUSPG ISAKMP/IKE test suite. Risk assessment is high for Juniper Networks E/M/T/J-series routers and for NetScreen firewalls running ScreenOS.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search