Knowledge Search


Out of Cycle Security Bulletin: ScreenOS: Malformed SSL packet can cause denial of service (DoS) (CVE-2014-2842)

  [JSA10624] Show Article Properties

Product Affected:
This issue can affect ScreenOS 6.3.
A denial of service (DoS) issue has been discovered in ScreenOS firewalls that can be exploited by remote unauthenticated attackers. When a malformed SSL/TLS protocol packet is sent to a vulnerable ScreenOS firewall, the firewall crashes and restarts or if in a HA configuration triggers a failover. The issue can be repeatedly exploited to create an extended denial of service condition.

Older versions of ScreenOS have reached the end of support milestone and have not been evaluated for the issue, but are likely affected. Customers are advised to upgrade to a fixed supported release once it is made available.

While Juniper has not seen any malicious exploitation of this vulnerability, the packet has been found in normal network activity.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2842.
Due to the likelihood of the specific packet occurring during normal activity, Juniper recommends disabling WebUI (SSL) and WebAuth (SSL) until a software fix is available. This includes disabling WebUI (SSL) and WebAuth (SSL) even on internal and protected networks.

This issue is completely mitigated when WebUI (SSL) and WebAuth (SSL) is disabled.

Disabling SSL WebUI (HTTPS) is part of our best practices, as mentioned in KB29016.
Related Links:
CVSS Score:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Severity Level:
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."