Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Out of Cycle Security Bulletin: ScreenOS: Malformed SSL packet can cause denial of service (DoS) (CVE-2014-2842)

0

0

Article ID: JSA10624 SECURITY_ADVISORIES Last Updated: 10 Feb 2015Version: 11.0
Product Affected:
This issue can affect ScreenOS 6.3.
Problem:
A denial of service (DoS) issue has been discovered in ScreenOS firewalls that can be exploited by remote unauthenticated attackers. When a malformed SSL/TLS protocol packet is sent to a vulnerable ScreenOS firewall, the firewall crashes and restarts or if in a HA configuration triggers a failover. The issue can be repeatedly exploited to create an extended denial of service condition.

Older versions of ScreenOS have reached the end of support milestone and have not been evaluated for the issue, but are likely affected. Customers are advised to upgrade to a fixed supported release once it is made available.

While Juniper has not seen any malicious exploitation of this vulnerability, the packet has been found in normal network activity.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2842.
Solution:
Workaround:
Due to the likelihood of the specific packet occurring during normal activity, Juniper recommends disabling WebUI (SSL) and WebAuth (SSL) until a software fix is available. This includes disabling WebUI (SSL) and WebAuth (SSL) even on internal and protected networks.

This issue is completely mitigated when WebUI (SSL) and WebAuth (SSL) is disabled.

Disabling SSL WebUI (HTTPS) is part of our best practices, as mentioned in KB29016.
Implementation:
 
CVSS Score:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search