Knowledge Search


×
 

2016-04 Security Bulletin: ScreenOS: Multiple Vulnerabilities in OpenSSL

  [JSA10733] Show Article Properties


Product Affected:
These issues can affect any product or platform running ScreenOS prior to 6.3.0r22
Problem:
Following vulnerabilities in OpenSSL software included with ScreenOS have been addressed in ScreenOS 6.3.0 r22:
CVE CVSS v2 base score Summary
CVE-2015-1791 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL that can cause a denial of service.
CVE-2015-1790 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL allows remote attackers to cause a denial of service via a crafted PKCS#7 blob.
CVE-2015-1789 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL allows remote attackers to cause a denial of service via a crafted length field in ASN1_TIME data.
CVE-2015-31955.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)The ASN1_TFLG_COMBINE implementation in OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

Solution:
The following software releases have been updated to resolve this specific issue: ScreenOS 6.3.0 r22 (released April 6, 2016) and all subsequent releases.

These issues are being tracked as PR 1100194 and 1144749 and are visible on the Customer Support website.


Workaround:
Methods to reduce the risk associated with this issue include:
  • Limit access to SSL ports to only trusted hosts.
  • Disabling web administrative services will mitigate the risk of this issue:
    • unset int eth0/0 manage web
  • Refer to KB6713 for enabling SSH on the firewall.
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via the network only from trusted, administrative networks or hosts.
Implementation:

How to obtain fixed software:
Software release Service Packages are available at http://support.juniper.net from the "Download Software" links. Select your appropriate Selected Products, or browse by Series or Technology, once you find the appropriate fixed version(s) for your needed platform download and apply the updated version(s) of choice.

Modification History:
Modification History:

2016-04-13: Initial publication
2016-04-14: Updated workaround section

Related Links:
CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Risk Level:
Medium
Risk Assessment:
The CVSS risk score has been determined for the worst case impact of these issues on ScreenOS.
Acknowledgements: