Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2016-04 Security Bulletin: ScreenOS: Multiple Vulnerabilities in OpenSSL



Article ID: JSA10733 SECURITY_ADVISORIES Last Updated: 14 Apr 2016Version: 3.0
Product Affected:
These issues can affect any product or platform running ScreenOS prior to 6.3.0r22
Following vulnerabilities in OpenSSL software included with ScreenOS have been addressed in ScreenOS 6.3.0 r22:
CVE CVSS v2 base score Summary
CVE-2015-1791 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL that can cause a denial of service.
CVE-2015-1790 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL allows remote attackers to cause a denial of service via a crafted PKCS#7 blob.
CVE-2015-1789 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL allows remote attackers to cause a denial of service via a crafted length field in ASN1_TIME data.
CVE-2015-31955.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)The ASN1_TFLG_COMBINE implementation in OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

The following software releases have been updated to resolve this specific issue: ScreenOS 6.3.0 r22 (released April 6, 2016) and all subsequent releases.

These issues are being tracked as PR 1100194 and 1144749 and are visible on the Customer Support website.

Methods to reduce the risk associated with this issue include:
  • Limit access to SSL ports to only trusted hosts.
  • Disabling web administrative services will mitigate the risk of this issue:
    • unset int eth0/0 manage web
  • Refer to KB6713 for enabling SSH on the firewall.
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via the network only from trusted, administrative networks or hosts.

How to obtain fixed software:
Software release Service Packages are available at from the "Download Software" links. Select your appropriate Selected Products, or browse by Series or Technology, once you find the appropriate fixed version(s) for your needed platform download and apply the updated version(s) of choice.

Modification History:
Modification History:

2016-04-13: Initial publication
2016-04-14: Updated workaround section

CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Severity Level:
Severity Assessment:
The CVSS risk score has been determined for the worst case impact of these issues on ScreenOS.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search