Knowledge Search


×
 

2014-06 Out of Cycle Security Bulletin: Vulnerabilities in OpenSSL related to ChangeCipherSpec, DTLS, SSL_MODE_RELEASE_BUFFERS and ECDH ciphersuites

  [JSA10629] Show Article Properties


Product Affected:
Various products: Please see the list in the problem section
Problem:
OpenSSL published an advisory on June 5th regarding following seven vulnerabilities that have been fixed in OpenSSL versions 0.9.8za, 1.0.0m and 1.0.1h.

Following is a summary of vulnerabilities and their status with respect to Juniper products:

CVE-2014-0224 SSL/TLS MITM vulnerability

An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.

  • Junos OS: Any product or platform running Junos OS versions prior to 14.1 are vulnerable to this issue (PR 999736).
  • Following Secure Access software versions are vulnerable (PR 1000219):
    • IVEOS 8.0 prior to 8.0R4.1
    • IVEOS 7.4 prior to 7.4R11.1
    • UACOS C4.4 prior to C4.4r11.1
    • UACOS C5.0 prior to C5.0r4.1
  • Following Pulse Desktop versions are vulnerable (PR 1000143):
    • 5.0 prior to 5.0R4.1
    • 4.0 prior to 4.0R11.1
  • Secure Access software versions 7.1rX, 7.2rX and 7.3rX are not vulnerable on the server side when clients are used to access Secure Access server with those versions.
  • All Network Connect FIPS versions are vulnerable.
  • All versions Linux Network Connect are vulnerable
  • Network Connect for Mac OS X is vulnerable only if openssl version provided by Mac OS X system is vulnerable.
  • All versions of Host Checker are vulnerable.
  • All JSAM (Java Secure Application Manager) versions are NOT vulnerable.
  • All WSAM (Windows Secure Application Manager) versions are NOT vulnerable.
  • All Junos Pulse (Mobile) for iOS FIPS versions are vulnerable (PR 1000204).
  • All Junos Pulse (Mobile) for Android versions are vulnerable.
  • All versions of Junos Space prior to 14.1R1 are vulnerable (PR 999804).
  • Junos WebApp Secure (JWAS) is vulnerable (PR 1000088).
  • SBR Enterprise 6.10-6.17 are vulnerable.
  • STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable.
  • SBR Carrier is vulnerable in 7.5.0 versions prior to 7.5.0-R11, 7.6.0 versions prior to 7.6.0-R10 and 8.0.0 versions prior to 8.0.0-R2 are vulnerable.
  • ScreenOS is not vulnerable (PR 999772) - ScreenOS Web UI is not vulnerable and all Juniper servers that ScreenOS can connect to have been verified to be not vulnerable, hence ScreenOS is not vulnerable.
  • Windows Network Connect (Non-FIPS) versions are not vulnerable.
  • Junos Pulse (iOS) Non-FIPS versions are not vulnerable.
  • Windows In-Box Junos Pulse Client on Windows 8.1 is not vulnerable.
  • Junos Pulse (Mobile) for Windows Phone 8.1 versions is not vulnerable.
  • Juniper DDoS Secure is vulnerable prior to 5.14.1-1.
  • IDP Series is vulnerable prior to 5.1r4.


CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.

  • All versions of Junos OS running on any product or platform running are vulnerable (PR 988917).
  • Following Secure Access versions are vulnerable (PR 988916):
    • IVEOS 8.0 prior to 8.0R4.1
    • IVEOS 7.4 prior to 7.4R11.1
    • UACOS C4.4 prior to C4.4r11.1
    • UACOS C5.0 prior to C5.0r4.1
  • Secure Access software versions 7.1, 7.2 and 7.3 are not vulnerable.
  • Junos WebApp Secure (JWAS) is vulnerable (PR 1000088).
  • STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable.
  • Junos Space is not vulnerable.
  • ScreenOS is not vulnerable.
  • SBR Carrier is not vulnerable.
  • Juniper DDoS Secure is not vulnerable.
  • IDP Series is not vulnerable.


CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service

A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.

  • Junos OS: Any product or platform running Junos OS versions prior to 14.1 are vulnerable to this issue (PR 984416).
  • Following Secure Access versions are vulnerable (PR 986446):
    • IVEOS 8.0 prior to 8.0r4
    • IVEOS 7.4 prior to 7.4r11
    • UACOS C4.4 prior to C4.4r11.1
    • UACOS C5.0 prior to C5.0r4.1
  • Secure Access software versions 7.1, 7.2 and 7.3 are not vulnerable.
  • Junos WebApp Secure (JWAS) is vulnerable (PR 1000088).
  • STRM 2012.1 releases prior to 2012.1R8, STRM/JSA 2013.2 releases prior to 2013.2R8 and JSA 2014.2R2 are vulnerable.
  • Junos Space is not vulnerable.
  • ScreenOS is not vulnerable.
  • SBR Carrier is not vulnerable.
  • Juniper DDoS Secure is not vulnerable.
  • IDP Series is not vulnerable.


CVE-2014-3470 Anonymous ECDH denial of service

OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.

  • Junos WebApp Secure (JWAS) is vulnerable (PR 1000088).
  • SBR Carrier is vulnerable (PR 1030183).
  • Junos Pulse is not vulnerable.
  • Junos Space is not vulnerable.
  • ScreenOS is not vulnerable.
  • SSL VPN Secure Access software is not vulnerable, however software has been updated to include OpenSSL changes for this issue.
  • Junos OS is not vulnerable.
  • JSA and STRM are not vulnerable
  • Juniper DDoS Secure is not vulnerable.
  • IDP Series is vulnerable prior to 5.1r4.

CVE-2014-0076 ECDSA nonce disclosure using side-channel attack

The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.

  • Junos OS: Any product or platform running Junos OS versions prior to 13.3 are vulnerable to this issue (PR 982853).
  • Junos WebApp Secure (JWAS) is vulnerable (PR 1000088).
  • ScreenOS is vulnerable (PR 999772).
  • Junos Space is not vulnerable.
  • SSL VPN Secure Access software is not vulnerable
  • Unified Access Control software is not vulnerable
  • SA Series SSL VPN Virtual Appliance is vulnerable.
  • Junos Pulse for windows is vulnerable.
  • SBR Carrier is not vulnerable.
  • JSA and STRM are not vulnerable.
  • Juniper DDoS Secure is vulnerable prior to 5.14.1-1.
  • IDP Series is vulnerable prior to 5.1r4.


CVE-2014-0221 DTLS recursion flaw

By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.

  • Juniper SIRT is not aware of any Juniper products that use DTLS for communication. Juniper products are not vulnerable to this issue. Junos OS, SSL VPN products, ScreenOS, Junos Space, Junos WebApp Secure (JWAS) are not vulnerable to this issue.


CVE-2014-0195 DTLS invalid fragment vulnerability

A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.

  • Juniper SIRT is not aware of any Juniper products that use DTLS for communication. Juniper products are not vulnerable to this issue. Junos OS, SSL VPN products, ScreenOS, Junos Space, Junos WebApp Secure (JWAS) are not vulnerable to this issue.



Products not vulnerable to any of the above issues:

  • ADC Software is not vulnerable
  • SmartPass is not vulnerable
  • JunosE is not vulnerable
  • WX/WXC series is not vulnerable

Juniper is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.

Modification History:
June 5, 2014: Initial release
June 6, 2014: Included status of ScreenOS, Junos Space
June 10, 2014: Included UAC/SA/Pulse information in solution section, updated status of ScreenOS.
June 12, 2014: Included status of Junos WebApp Secure (JWAS).
July 1, 2014: Included status of WX/WXC series.
July 29, 2014: Updated available Junos OS resolution releases.
September 4th, 2014: Fixed grammatical error in ScreenOS problem section.
September 11th, 2014: Updated available Junos OS and Junos Space resolution releases.
October 5th, 2014: Updated available Junos OS solution releases.
Dec 4, 2014: Included status of SBR Carrier, updated available Junos OS for SRX solution releases.
Dec 23, 2014: Patches now available for SBR Enterprise.
Mar 10, 2015: Included references to STRM, JSA as noted in JSA10643, updated SBR Carrier solution for CVE-2014-3470.
Mar 17, 2015: Included DDoS Secure and IDP.

Solution:
  • SA (SSL VPN)
    • CVE-2014-0224 SSL/TLS MITM vulnerability
      • Fixes for this issue are found in IVEOS 8.0r4.1 and 7.4r11.1,
      • For more information on solution available for this platform please see KB: http://kb.juniper.net/KB29195
    • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
      • Fixes for this issue are found in IVEOS 7.4R11.1 and 8.0R4.1.
    • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
      • Fixes for this issue are found in IVEOS 7.4R11 and 8.0R4.
    • CVE-2014-3470 Anonymous ECDH denial of service
      • Fixes for this issue are found in IVEOS  7.1r19.1, 7.4R11.1 and 8.0R4.1.
  • SA Series SSL VPN Virtual Appliance
    • Fixes for this platform are in progress. We plan to add a fix in a future SA major release. 
  • UAC/IC
    • CVE-2014-0224 SSL/TLS MITM vulnerability
      • Fixes for this issue are found in UACOS C4.4r11.1 and C5.0r41.1.
    • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
      • Fixes for this issue are found in UACOS C4.4r11.1 and C5.0r41.1.
    • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
      • Fixes for this issue are found in UACOS C4.4r11.1 and C5.0r41.1.
    • CVE-2014-3470 Anonymous ECDH denial of service
      • Fixes for this issue are found in UACOS C4.4r11.1 and C5.0r41.1.
  • Junos Pulse
    • CVE-2014-0224 SSL/TLS MITM vulnerability
      • Fixes for this issue are found in 5.0r4.1 and 4.0r11.1.
      • For more information on solution available for this platform please see KB: http://kb.juniper.net/KB29195
    • CVE-2014-0076 ECDSA nonce disclosure using side-channel attack
      • Fixes for this issue are planned for a future release (5.1r1) No ETA is set at this time.
  • IDP Signatures
  • Junos OS
    • CVE-2014-0224 SSL/TLS MITM vulnerability
      • This issue is fixed in 11.4R12-S1, 12.1X44-D40, 12.1X46-D20, 12.1X46-D25, 12.1X47-D15, 12.2R9, 12.3R8, 13.1R4-S2, 13.2R5, 13.3R2-S3, 13.3R3, 14.1R1 and all subsequent releases. Even though CVE-2014-0221, CVE-2014-0195 and CVE-2014-3470 do not affect Junos, changes to resolve these issues are included along with the fix for CVE-2014-0224.
    • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
      • This is fixed in 11.4R12-S4, 12.1X44-D40, 12.1X46-D20, 12.1X46-D25, 12.1X47-D15, 12.2R9, 12.3R8, 13.1R4-S3, 13.2R5-S1, 13.3R3, 14.1R2 and all subsequent releases.
    • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
      • This is fixed in 12.1X44-D40, 12.1X46-D20, 12.1X46-D25, 12.1X47-D10, 12.2R9, 12.3R7, 13.1R4-S3, 13.2R5, 13.3R2-S3, 13.3R3, 14.1R1 and all subsequent releases.
      • A fix release is pending for Junos 11.4.
    • CVE-2014-0076 ECDSA nonce disclosure using side-channel attack
      • This is fixed in 11.4R12-S1, 12.1X44-D40, 12.1X46-D20, 12.1X46-D25, 12.1X47-D10, 12.2R9, 12.3R7, 13.1R4-S3, 13.2R5-S1, 13.3R1 and all subsequent releases.
  • ScreenOS
    • CVE-2014-0076 ECDSA nonce disclosure using side-channel attack
      • This is fixed in 6.3.0r18 and all subsequent releases.
  • Junos Space
    • CVE-2014-0224 SSL/TLS MITM vulnerability is fixed in Junos Space 14.1R1 and all later releases
  • SBR Carrier
    • CVE-2014-0224 is fixed in 7.5.0-R11, 7.6.0-R10, 8.0.0-R2 and all later releases.
    • CVE-2014-3470 is fixed in 7.5.0_R17 7.6.0_R16 8.0.0_R8 and all later releases.
  • SBR Enterprise
    • CVE-2014-0224 is fixed via a patch to 6.17.  Refer to KB29217 for patch information.
  • STRM, JSA Series
    • CVE-2014-0224, CVE-2014-0198 and CVE-2010-5298 are fixed in JSA 2013.2R8 and 2014.2R3 or later releases, STRM 2012.1R8 and 2013.2R8 or later releases. Please refer to JSA10643 for details.
  • Juniper DDoS Secure
    • All these issues are resolved by upgraded OpenSSL package in DDoS Secure 5.14.1-1 or later releases.
  • IDP Series
    • All these issues are resolved by upgraded OpenSSL package in IDP 5.1r4 or later releases.

We are currently investigating our product portfolio for affected software and will work to provide fixes for any software that is found to be vulnerable. Any available solution to particular CVEs is listed in the Problem section above.

Workaround:
Junos OS:
Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
  • Disabling J-Web
  • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
  • Limit access to J-Web and XNM-SSL from only trusted network

Workaround for CVE-2014-0076:
Since this vulnerability requires an attacker to have a local account on the device and be able to execute arbitrary code, limiting access to only trusted users should completely mitigate the issue on affected devices.

Implementation:

Related Links:
CVSS Score:
5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Risk Level:
High
Risk Assessment:
A network based attacker who can conduct man-in-the-middle type of attacks can decrypt or modify encrypted traffic. This may contains sensitive information that can be leveraged to conduct additional attacks.
Acknowledgements: