Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0971 2014-06 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service (UAC): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812) 13 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Pulse Secure Access Service (SSL VPN) Junos Pulse Access Control Service (UAC) Publisher: Juniper Networks Operating System: Juniper Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-3812 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10628 - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-06 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service (UAC): Weak SSL cipher allowed unexpectedly when higher level cipher group is configured (CVE-2014-3812) Security Advisories ID: JSA10628 Last Updated: 11 Jun 2014 Version: 3.0 Product Affected: SA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, MAG6611, IC4000, IC4500, IC6000, IC6500, and FIPS IC6500. The affected software releases includes IVE OS: 7.4, 8.0, and UAC 4.4 and 5.0. Problem: A weak cipher issue has been discovered on the Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service OS devices. When configuring the device to use a higher level cipher setting, a lower level cipher was unexpectedly enabled in error. While clients should always negotiate the use of the highest available cipher, older clients may have negotiated a lower and therefore less secure cipher. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3812 Solution:l Software updates to IVE OS and UAC have been released to resolve this issue. Releases containing the fix include IVE OS 8.0r1, 7.4r5 and UAC 5.0r1 and 4.4r5 and all subsequent releases. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: There is no workaround for this issue. An upgrade to a fixed version of software is required for the fix. Implementation: Software release Service Packages are available at http://support.juniper.net from the "Download Software" links. Select "Secure Access (SA) / SSL VPN" or UAC and choose the version applicable to your environment and installation. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories. Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3812: Weak SSL cipher allowed unexpectedly when higher level cipher group is configured CVSS Score: CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Risk Level: Medium Acknowledgements: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU5p0BRLndAQH1ShLAQLYVxAAnuYdgmn1dqar7/CrMruouFnU1/0gAaMP NLAuwzcz30ZZEOCqdYkfmdjOebiAs/VlfjAT/vXpvB9sg76wgyseMas9Iu5ospbd PMJnr0AWTut536tu+LC913atdaVt99Bwvy0XzYM3aqu8O4CZje2inrtIXHK46FuH t5d5Hx9rSqrhAmCFsrFvI0/bDQD1AVZeW1rbv6tCZ211T1YhtXMshHp94rPe6MUj aUSiAL2oiioZiHuvVetbzyeoCvbTDnVxXBFVYEDRozNmYc8aqHURWc+zuhb8/ihN KtaQx8YxfMclihoYDtAJ801VXdQV4Lpu6pgSWtit1tZlWXZ0jQAVjQzIc/+mfG9J IyWg/l/ZqtuKkjf99AIWBhizZMzuzP6kBWE+wK4wCEBKtrWuHpwrmIqM4DxaQ6+t XB7jDewTjlbPxNmyxa1qo8/GL6du1mxyoKmfgNljS4gK/HTN+22kresYamO9S5cq L3PLegnOa9105AqJPJSyMh2jTqmPbwIu0JL8U9lJXAombc/MtgztJ5cGuUlukPEe 8Xfy5GxogmKpI3MwQNy7j96m1ZRB3gbBTI/YZn5pIPluAQQaEt/GH9vEgW/uWF1x tlzo+UnkvvGluYZJI/P0vvmcQvkFU0CQmN22c4PavDgVOUlhC/cAlHoxHCUBJz8x 9QhS4kIlWaM= =yYec -----END PGP SIGNATURE-----