Product Affected:These issues can affect any product or platform running ScreenOS prior to 6.3.0r22Problem:Following vulnerabilities in OpenSSL software included with ScreenOS have been addressed in ScreenOS 6.3.0 r22:
CVSS v2 base score
Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL that can cause a denial of service.
The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL allows remote attackers to cause a denial of service via a crafted PKCS#7 blob.
The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL allows remote attackers to cause a denial of service via a crafted length field in ASN1_TIME data.
The ASN1_TFLG_COMBINE implementation in OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.
Solution:The following software releases have been updated to resolve this specific issue: ScreenOS 6.3.0 r22 (released April 6, 2016) and all subsequent releases.These issues are being tracked as PR 1100194 and 1144749 and are visible on the Customer Support website.
Workaround:There are no known workarounds for these issues.
How to obtain fixed software:Software release Service Packages are available at http://support.juniper.net from the “Download Software” links.
Select your appropriate Selected Products, or browse by Series or Technology, once you find the appropriate fixed version(s) for your needed platform download and apply the updated version(s) of choice.
2016-04-13: Initial publication
Related Links:CVSS Score:5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Risk Assessment:The CVSS risk score has been determined for the worst case impact of these issues on ScreenOS.