PSN-2012-07-638

This issue concerns Branch SRX products running affected versions of Junos software as documented in an earlier Juniper SIRT Security Advisory.

An academic research team has published a paper documenting an analysis of the security of cryptographic keys and digital certificates in network devices produced by more than fifty different vendors. To gather data for their study, the research team retrieved the server credentials from nearly thirteen million different network devices via a series of network scans between 2011-10-06 and 2012-04-01. One particular large set of weak keys was attributed to a vulnerability in a Juniper product. That vulnerability was the result of poor entropy and was resolved in software. The Juniper SIRT alerted entitled customers to this issue via PSN-2012-04-549, "2012-04 Security Bulletin: Junos: Weakness in generation of self-signed certificates for use in device administration".

The issue was discovered internally (using similar methodology but independent of the external research project mentioned above), analyzed, and repaired in a time period rougly parallel with the latter part of the scanning period documented in the research paper.

The Juniper SIRT is not aware of any malicious exploitation of this vulnerability. However, customers are warned that an important point in the research paper is that the credentials of any public-facing device is subject to such an analysis. Release of the paper is likely to encourage such testing, and thus it would be prudent to refer to the earlier Security Advisory to ensure that the issue has been resolved in any affected customer devices.

No other Juniper Networks products or platforms are affected by this issue.

and Workaround
Please see PSN-2012-04-549, "2012-04 Security Bulletin: Junos: Weakness in generation of self-signed certificates for use in device administration" for solutions and workarounds.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Acknowledgement
The Juniper SIRT thanks Nadia Heninger of the University of California, San Diego, and Zakir Durumeric, Eric Wustrow, and Alex Halderman of the University of Michigan for their wide-ranging, comprehensive research and analysis contributing to the security and correctness of cryptographic key and certificate generation by network devices.

This Security Notice is intended to raise awareness regarding an issue previously documented in a Security Advisory. It does not address a current vulnerability in any Juniper Networks product or service.