Knowledge Search


×
 

IKE version 1 vulnerability issues resulting from OUSPG ISAKMP Test Suite (NISCC/ISAKMP/273756)

  [JSA10356] Show Article Properties


Legacy Advisory Id:
PSN-2005-11-007
Product Affected:
All Juniper Networks M/T/J/E-series routers; NetScreen firewalls running ScreenOS software.
Problem:

The University of Oulu Security Programming Group (OUSPG) has developed an ISAKMP Test Suite for IKE version 1 Phase 1, a key component of the IPSec encryption and security protocol. The IKE protocol implementation in JUNOS, JUNOSe, ScreenOS and Netscreen Remote software is vulnerable to certain test cases in the test suite provided by OUSPG.

For more details about this vulnerability, see the NISCC website link in the Related Links section of this bulletin.

This issue is tracked internally as CQ 68020 for JUNOSe software, bug 07844 for ScreenOS software, and PR/61076 and PR/61779 for JUNOS software.

Solution:

Changes have been made in the JUNOSe, JUNOS and ScreenOS software that resolve the potential vulnerability exposed by the OUSPG ISAKMP/IKE test suite.

In addition, Juniper Networks agrees with the mitigation recommendations in the NISCC advisory.

Implementation:

The following currently available ScreenOS software (used on Netscreen firewall and VPN products) releases contain modified code that provides fixes for the IKE security protocol:

4.0.0r13a for the 100

4.0.3r9a.0 for 5xp, 5xt, 25, 50, 200, 500, 5200-8G

5.0.0r10a for the ISG-1000 and ISG-2000

5.0.0r11.0 for 5xp, 5xt, 25, 50, 204, 208, 500, 5200/5400-M1 using 8g or 24FE

5.0.0r11.1 for 5gt, 5gt-WLAN, 5gt-ADSL

5.0.0-M2.r9a for the 5200-M2/5400-M2 using 8G or 24FE line cards

5.1.0r4b.0 for 5xt, 5gt, 50, 200, 500, 5000 (doesn't cover ns5xp)

5.2.0r3 for 5xt, 5gt, 5gt-ADSL, 25, 50, 204, 208, 500, ISG-2000, 5200/5400-M1, 5200/5400-M2

ScreenOS versions not specifically listed are under investigation.

NetScreen-Remote 8.7 VPN client contains modified code that provides fixes for the IKE security protocol.

The following JUNOSe software (used on E-series routers) releases contain modified code that provides fixes for the IKE security protocol: 5-2-4p0-8, 5-2-5, 5-3-4p0-5, 6-0-2p0-5, 6-0-3, 6-1-1p0-7, 6-1-2, 7-0-0p0-1, 7-0-1, 7-1-0.

All JUNOS software (for M/T/J-series routers) for Releases 6.4 and later releases built on or after July 28, 2005 contains modified code that provides fixes for the IKE security protocol.

Related Links:
Risk Level:
High
Risk Assessment:
Juniper Networks JUNOS, JUNOSe and ScreenOS software is susceptible to certain IPSec ISAKMP/IKE vulnerabilities as exposed by the OUSPG ISAKMP/IKE test suite. Risk assessment is high for Juniper Networks E/M/T/J-series routers and for NetScreen firewalls running ScreenOS.