-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0490
         2014-04 Out of Cycle Security Bulletin: Multiple products
          affected by OpenSSL "Heartbleed" issue (CVE-2014-0160)
                               11 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
                   Odyssey client
                   SSL VPN (IVEOS)
                   UAC
                   Junos Pulse (Desktop)
                   Network Connect (windows only)
                   Junos Pulse (Mobile)
Publisher:         Juniper Networks
Operating System:  Juniper
                   Windows
                   Android
                   Apple iOS
                   OS X
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0160  

Reference:         ASB-2014.0042
                   ESB-2014.0457

Original Bulletin: 
   http://kb.juniper.net/JSA10623

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-04 Out of Cycle Security Bulletin: Multiple products affected by OpenSSL 
"Heartbleed" issue (CVE-2014-0160)

Categories:

Junos
Router Products
SA Series (SSL VPN)
UAC Series
Switch Products
SSL_VPN_(IVE_OS)
Junos Pulse (Desktop)
Junos Platform
MAG Series
SIRT Advisory

Security Advisories ID:		JSA10623
Last Updated:			10 Apr 2014
Version:			22.0

PRODUCT AFFECTED:

Various products: Please see the list in the problem section

PROBLEM:
 The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not 
properly handle Heartbeat Extension packets, which allows remote attackers to 
obtain sensitive information (such as private keys, username and passwords, 
or contents of encrypted traffic) from process memory via crafted packets 
that trigger a buffer over-read. This issue is also known as The Heartbleed 
Bug.

Status of different OpenSSL versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Products
- - Junos OS 13.3R1
- - Odyssey client 5.6r5 and later
- - SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later 
(Fixed code is listed in the "Solution" section)
- - UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the 
"Solution" section)
- - Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and 
later
- - Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. 
(This client is only impacted when used in FIPS mode.)
- - Junos Pulse (Mobile) on Android version 4.2R1 and higher.
- - Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only 
impacted when used in FIPS mode.)

Products Not Vulnerable
- - Junos OS 13.2 and earlier is not vulnerable
- - Non-FIPS version of Network Connect clients are not vulnerable
- - SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable
- - SRX Series is not vulnerable
- - Junos Space is not vulnerable
- - NSM is not vulnerable
- - Pulse 4.0r4 and earlier is not vulnerable
- - QFabric Director is not vulnerable
- - CTPView is not vulnerable
- - vGW/FireFly Host is not vulnerable
- - Firefly Perimeter is not vulnerable
- - ScreenOS is not vulnerable
- - UAC 4.3, 4.2, and 4.1 are not vulnerable
- - JUNOSe is not vulnerable
- - Odyssey client 5.6r4 and earlier are not vulnerable
- - Junos Pulse (Mobile) on iOS (Non-FIPS Mode)
- - WX-Series is not vulnerable
- - Junos DDoS Secure is not vulnerable
- - STRM/JSA is not vulnerable
- - WebApp Secure is not vulnerable
- - Media Flow Controller is not vulnerable
- - SBR Carrier is not vulnerable
- - SBR Enterprise is not vulnerable
- - Junos Pulse Mobile Security Suite is not vulnerable
- - SRC Series is not vulnerable

Products currently under investigation

- - Stand Alone IDP
- - ADC
- - WL-Series (SmartPass)

Juniper continues to investigate this issue and as new information becomes 
available this document will be updated.

This issue has been assigned CVE-2014-0160.

SOLUTION:

We are working around the clock to provide fixed versions of code for our 
affected products.

SSL VPN (IVEOS):
Juniper Networks has released IVEOS 8.0R3.1 and 7.4R9.1. For more information 
surrounding this issue for this platform please see KB: 
http://kb.juniper.net/kb29004

UAC:
Juniper Networks will release (ETA April 10th, 2014) UAC 5.0r3.2. For more 
information surrounding this issue for this platform please see KB: 
http://kb.juniper.net/kb29007

Junos: 
Junos OS 13.3R1.6, 13.3R1.7, and 13.3R1-S1 have been recalled and will be 
re-released with fixes to resolve this issue.

IDP Signatures:
Juniper has released signatures to detect this issue:

Sigpack 2362 released:
https://signatures.juniper.net/restricted/sigupdates/nsm-updates/updates.xml
https://signatures.juniper.net/restricted/sigupdates/nsm-updates/2362.html

SSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:
http://signatures.juniper.net/documentation/signatures/SSL%3AOPENSSL-TLS-DTLS-HEARTBEAT.html

Note: This advisory will be updated with fixed software versions as they are 
made available to our customers.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Junos:
- - Since SSL is used for remote network configuration and management 
applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable 
workarounds for this issue in Junos may include:
	- Disabling J-Web
	- Disable SSL service for JUNOScript and only use Netconf, which 
	makes use of SSH, to make configuration changes
	- Limit access to J-Web and XNM-SSL from only trusted networks

SSL VPN/UAC:
- - Other than downgrading to an unaffected release, there are no workarounds 
for this issue.

IMPLEMENTATION:
 
RELATED LINKS: 

OpenSSL Security Advisory

CVSS SCORE:

9.4 (AV:N/AC:L/Au:N/C:C/I:C/A:N)

RISK LEVEL:

Critical

RISK ASSESSMENT:

We consider this to be a critical issue. The sensitive information 
potentially exposed by this issue can be leveraged to further compromise the 
system. Exploits are known to exist in the wild. Information for how Juniper 
Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring 
System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0dndxLndAQH1ShLAQL0YxAAnipJwnmWO5cDGvJzB1o2DSTrhPng+nO5
aQMqZ+4ms+CQyxyuSt58oXpwyhZScNl1gDyX1coTBxigoQL4eJceo5yDhf/SwgAF
QIjbzTXFJTXDiShUN63nSfjPPdzVo/cfZO09C7JJNUxi1AyP2p905MKNq6pXc5u8
AUdqkX99NEnRx3eQQ5dWb5XSwaOu16F7UAlST8NoCltdcSh8uFlbo3PBUfiRL7d9
9UxKSBd0xsn4FfHiG6QQUVbsQGhF/rSWHdeLiQjj8SxqhzJaN/2Wbr4BTUbt3KCX
FBCfghPyTpvg/yNG1/qlmlK78/f+0TeMvy2dlboiUzceuMMUSIXc3h2csFkPDLYs
GbnSjP0RSYIP/j01uxGmN/rQCGSdBfFlGLEJ59tyN7XMYOirSrGIXW0iUh8VUMtg
2Qx9eBhhESeOEvy/Wv6yALakkngWXAwH8GPTGPFE7nnQvzrUxYcdMakA0IiR607v
Qp1hj/dNt28mUronYAYJyaWpwtX2dnSz4pEwhCZNK4P9SVUnooJZW9dlbngz/mcr
D9rBtTit5BL2e4YiViR/Zloz1dV/m9jkxz41n955gAIAqvj8dqmvOsfP3i36kMqF
fyYDIeYKpdwaszqu6rzjM6w+RJwD10HB4QWKRb9WvkuXCVEsHzi5E2JtGOwvMtSL
vnimhlvCkMU=
=1Wju
-----END PGP SIGNATURE-----