2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory.

Product Affected:Multiple products.

Problem:OpenSSL project has published a security advisory for vulnerabilities resolved in the OpenSSL library on January 8th 2015: CVECVSS v2 base scoreSummaryCVE-2014-35695.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)OpenSSL denial of service (NULL pointer dereference and daemon crash) vulnerability.CVE-2014-35705.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSL cryptographic error related to BN_sqr implementation.CVE-2014-35725.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)OpenSSL ECDHE-to-ECDH downgrade attack vulnerability.CVE-2014-82755.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)OpenSSL weak fingerprint-based certificate-blacklist protection mechanism.CVE-2015-02045.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)OpenSSL client RSA-to-EXPORT_RSA downgrade attack, related to the “FREAK” issue.CVE-2015-02055.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)OpenSSL insufficient Diffie-Hellman (DH) certificate verification.In addition to the above this OpenSSL advisory also lists CVE-2014-3571 and CVE-2015-0206 which only affect DTLS protocol which is not used in any Juniper product. Hence these two CVEs do not affect any Juniper product. Vulnerable Products:Junos OS is potentially affected by one or more of the vulnerabilities. Junos J-Web interface is not vulnerable to the “FREAK” issue, however Junos client side components that utilize OpenSSL to connect to vulnerable servers may be at risk for FREAK vulnerability. Servers hosted by Juniper that Junos devices can connect to using SSL/TLS for updates are not vulnerable to the “FREAK” issue.  CTP software is potentially vulnerable to one or more vulnerabilities. ScreenOS is potentially vulnerable to only CVE-2014-8275 and CVE-2015-0205. Rest of the CVEs in this advisory do not affect ScreenOS. Junos Space is potentially vulnerable to one or more vulnerabilities. NSM is potentially vulnerable to one or more vulnerabilities. DDoS Secure is potentially affected by one or more vulnerabilities. IDP is potentially affected by one or more of the vulnerabilities. Pulse Secure: please refer to KB29833. SBR Carrier is potentially affected by one or more of the vulnerabilities. SRC Series is potentially affected by one or more of the vulnerabilities. vGW is potentially affected by one or more of the vulnerabilities. RingMaster Appliance is potentially affected by one or more of the vulnerabilities. Products not vulnerable:Smartpass does not use OpenSSL and is not vulnerable. RingMaster Software does not use OpenSSL and is not vulnerable. As new information becomes available on products that are not listed above, this document will be updated.

Solution: Junos OS: These issues are resolved in: Junos OS 12.1X44-D50 (pending release) 12.1X46-D35 (pending release) 12.1X47-D25 (pending release) 12.3R10 12.3X48-D10 13.2R8 13.3R6 14.1R5 (pending release) 14.2R3 (pending release) and all subsequent releases. CTP: These issues are resolved in: CTPOS 7.1R1, 7.0R4, 6.6R5, CTPView 7.1R1 and all subsequent releases (PR 1068919, 1068918). NSM: OpenSSL library is to be upgraded in 2012.2R11 (pending release) (PR 1069107). DDoS Secure: OpenSSL library is upgraded in the next DDoS Secure software update is pending release (PR 1072982). IDP: OpenSSL library is to be upgraded in the next DDoS Secure software update is pending release (PR 1072987). Junos Space: A resolution is pending (PR 1069102). SBR Carrier: A resolution is pending (PR 1072991). SRC Series: A resolution is pending (PR 1073259). ScreenOS: A resolution is pending (PR 1057485). vGW: A resolution is pending (PR 1073007). RingMaster Appliance: A resolution is pending (PR 1073266).

Workaround:Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks. Junos OS: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web. Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes. Limit access to J-Web and XNM-SSL from only trusted networks. ScreenOS: A temporary workaround for the server side of ScreenOS you can disable the HTTPS web user interface and the WebAuth feature. If you disable the HTTPS user interface you would be required to do configuration management over command line (SSH). The command to disable SSL is the following: unset ssl enable

Implementation:Software releases or updates are available at https://www.juniper.net/support/downloads/. Modification History: 2015-04-08: Initial release.

Related Links: CVSS Score:5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Risk Level:Medium

Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”

Acknowledgements:

Leave a Reply