Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Juniper SIRT Out-of-Cycle Security Notice: Weak Keys on Juniper Products Fixed Previously

0

0

Article ID: JSA10516 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 1.0
Legacy Advisory Id:
PSN-2012-07-638
Product Affected:
This issue concerns Branch SRX products running affected versions of Junos software as documented in an earlier Juniper SIRT Security Advisory.
Problem:

An academic research team has published a paper documenting an analysis of the security of cryptographic keys and digital certificates in network devices produced by more than fifty different vendors. To gather data for their study, the research team retrieved the server credentials from nearly thirteen million different network devices via a series of network scans between 2011-10-06 and 2012-04-01. One particular large set of weak keys was attributed to a vulnerability in a Juniper product. That vulnerability was the result of poor entropy and was resolved in software. The Juniper SIRT alerted entitled customers to this issue via PSN-2012-04-549, "2012-04 Security Bulletin: Junos: Weakness in generation of self-signed certificates for use in device administration".

The issue was discovered internally (using similar methodology but independent of the external research project mentioned above), analyzed, and repaired in a time period rougly parallel with the latter part of the scanning period documented in the research paper.

The Juniper SIRT is not aware of any malicious exploitation of this vulnerability. However, customers are warned that an important point in the research paper is that the credentials of any public-facing device is subject to such an analysis. Release of the paper is likely to encourage such testing, and thus it would be prudent to refer to the earlier Security Advisory to ensure that the issue has been resolved in any affected customer devices.

No other Juniper Networks products or platforms are affected by this issue.
Solution:
and Workaround
Please see PSN-2012-04-549, "2012-04 Security Bulletin: Junos: Weakness in generation of self-signed certificates for use in device administration" for solutions and workarounds.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Acknowledgement
The Juniper SIRT thanks Nadia Heninger of the University of California, San Diego, and Zakir Durumeric, Eric Wustrow, and Alex Halderman of the University of Michigan for their wide-ranging, comprehensive research and analysis contributing to the security and correctness of cryptographic key and certificate generation by network devices.
Severity Level:
None
Severity Assessment:
This Security Notice is intended to raise awareness regarding an issue previously documented in a Security Advisory. It does not address a current vulnerability in any Juniper Networks product or service.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search