Junos OS (XNM-SSL) and WXOS: Access privileged data - Remote/unauthenticated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1425
2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024
DH groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000)
                                1 June 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS (XNM-SSL)
                   WXOS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2015-4000  

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10681

- --------------------------BEGIN INCLUDED TEXT--------------------

2015-05 Out of Cycle Security Bulletin: "Logjam" passive attack on sub-1024 DH
groups, and active downgrade attack of TLS to DHE_EXPORT (CVE-2015-4000)

Categories:

    Junos

    Router Products

    CTP Series

    J-series

    M-series

    T-series

    MX-series

    Security Products

    Switch Products

    EX Series

Security Advisories ID: JSA10681

Last Updated: 29 May 2015

Version: 1.0

Product Affected:

See Problem section below

Problem:

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows 
Internet protocols to agree on a shared key and negotiate a secure connection.
It is fundamental to many protocols including HTTPS, SSH, IPsec, and protocols
that rely on TLS.

On May 20, 2015, researchers uncovered several weaknesses in how 
Diffie-Hellman key exchange has been deployed:

"Logjam attack" against the TLS protocol. The "Logjam attack" allows a 
man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit
export-grade cryptography. This allows the attacker to read and modify any 
data passed over the connection. The attack is reminiscent of the FREAK 
attack, but is due to a flaw in the TLS protocol rather than an implementation
vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA 
key exchange. The attack affects any server that supports DHE_EXPORT ciphers.

Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN 
servers all use the same prime numbers for Diffie-Hellman key exchange. 
Practitioners believed this was safe as long as new key exchange messages were
generated for every connection. However, the first step in the number field 
sievethe most efficient algorithm for breaking a Diffie-Hellman connectionis 
dependent only on this prime. After this first step, an attacker can quickly 
break individual connections.

See https://weakdh.org for more inf?o.

Affected Products

    Junos OS (XNM-SSL)*

    WXOS

Products Not Affected

    Junos OS (J-Web, SSH, IPsec/IKE)

    Junos Space

    ScreenOS

    STRM/JSA

    CTP/CTPView

Products Under Investigation

    NSM/NSMXpress

    Firefly Host

* See Product Status in Solution section below for specific versions of Junos
OS.

Background and SIRT Analysis:

There are two aspects to "Logjam", both related to Diffie-Hellman key 
exchange:

    Active downgrade attack of TLS sessions: Affects SSL/TLS ? CVE-2015-4000

    Passive attack on a DH group <= 1024: Can affect SSL/TLS, IPsec/IKE, and 
    SSH

The active downgrade attack (1) is very similar to the previously published 
FREAK vulnerability which has been addressed by JSA10679. The active attack is
only against TLS sessions, and its purpose is to downgrade from a 
non-DHE_EXPORT ciphersuite to a DHE_EXPORT ciphersuite when the server 
supports DHE_EXPORT but the client does not.

The passive attack (2) is not technically considered a product security 
vulnerability by the Juniper SIRT, but rather a previously known weakness in 
smaller DH groups. As compute power increases, key strength must increase to 
maintain the same level of defense against brute force attack.

Solution:

Product Status

Junos:

 SSL/TLS:

SSL is used for remote network configuration and management applications such
as J-Web and SSL Service for JUNOScript (XNM-SSL),

    J-Web is not vulnerable. Export cipher suites (1) negotiated by J-Web are
    disabled by default in all supported versions of Junos.

    XNM-SSL vulnerable in earlier releases. Export cipher suites (1) used by 
    XNM-SSL follow the defaults for OpenSSL found within each version of Junos. 
    Export cipher suites are disabled by default in OpenSSL 1.0.1m and 0.9.8zf 
    (Junos PR 1072809) corresponding to: Junos ?OS 12.1X44-D55, 12.1X46-D40, 
    12.1X47-D25, 12.3R10, 12.3X48-D20, 13.2R8, 13.3R7, 14.1R5, 14.2R3, 15.1R1, and
    all subsequent releases.

 SSH: SSH is configurable to use 2048-bit (dh-group14-sha1) keys with a 
 default of 1024:

[edit system services ssh]

user@junos# set key-exchange ?

Possible completions:

[ Open a set of values

dh-group1-sha1 The RFC 4253 mandated group1 with SHA1 hash

dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash

ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256

ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384

ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512

group-exchange-sha1 The RFC 4419 group exchange with SHA1 hash

group-exchange-sha2 The RFC 4419 group exchange with SHA2-256 hash

 IPsec/IKE:

The paper describing this attack describes Diffie Hellman Group 1 as 
potentially vulnerable to an academic group, and DH Group 2 as potentially 
vulnerable to a nation-state actor. In order to avoid potential exposure, the
use of these two groups should be avoided.

Configuration options that could select these options are:

[edit security group-vpn member ike policy policy-name]

[edit security group-vpn server ike policy policy-name]

[edit security ike policy policy-name]

in which the policy includes a reference to any of the pre-defined IKE 
exchange proposals shown below that contain groups 1 and 2:

basic: Basic set of two IKE proposals:

Proposal 1: Preshared key, Data Encryption Standard (DES) encryption, and 
Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) 
authentication.

Proposal 2: Preshared key, DES encryption, and DH group 1 and Message Digest 5
(MD5) authentication.

compatible: Set of four commonly used IKE proposals:

Proposal 1: Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) 
and SHA-1 authentication.

Proposal 2: Preshared key, 3DES encryption, and DH group 2 and MD5 
authentication.

Proposal 3: Preshared key, DES encryption, and DH group 2 and SHA-1 
authentication.

Proposal 4: Preshared key, DES encryption, and DH group 2 and MD5 
authentication.

standard: Standard set of two IKE proposals:

Proposal 1: Preshared key, 3DES encryption, and DH group 2 and SHA-1 
authentication.

Proposal 2: Preshared key, Advanced Encryption Standard (AES) 128-bit 
encryption, and DH group 2 and SHA-1 authentication.

The same would apply to a custom IKE or IPSec proposal that contains 
references to groups 1 or 2. These are configured under:

[edit security ike proposal]

[edit security ipsec policy keys]

Note that Junos does not ship with pre-computed Diffie-Hellman keys (2). All 
DH keys are ephemeral; they are generated for a single SA and are never 
re-used.?

Junos Space:

Junos Space does not support Diffie-Hellman keys for SSL/TLS and is therefore
not vulnerable (1).

OpenSSH ?defaults to 2048-bit diffie-hellman-group14-sha1 (2)?, but can be 
configured to use other key exchange algorithms by modifying the KexAlgorithms
parameter within /etc/ssh/sshd_config.?

NSM:

Still under investigation.

ScreenOS:

ScreenOS is not vulnerable to the SSL/TLS downgrade attack? (1).

ScreenOS supports Diffie-Hellman Groups 1, 2, 5 & 14:

http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf

KB14667 also notes that ScreenOS supports DH Groups 5 and 14 (depending on 
version) which are currently considered strong enough to address concerns over
brute-force attack (2).

Firefly Host:

Still under investigation.

STRM/JSA:

httpd does not use export grade ciphers (1) and the Diffie-Hellman ciphers 
that are in use with httpd are 1024 bit (2). httpd will be updated to use 
2048-bit Diffie-Hellman ciphers in a future release.

Server-side Java is not vulnerable as httpd controls the ciphers, however 
client-side Java connecting out to integrations may be vulnerable. Java will 
be updated in the near future to mitigate this.

CTP/CTPView:

CTP does not have an SSL/TLS listener and SSH is not configurable.

CTPView does not support Diffie-Hellman nor export-grade ciphers.

Workaround:

Junos:

Since SSL is used for remote network configuration and management applications
such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for
this issue in Junos may include:

    Disabling J-Web

    Disable SSL service for JUNOScript and only use Netconf, which makes use 
    of SSH, to make configuration changes

    Limit access to J-Web and XNM-SSL from only trusted networks

Note that J-Web is not vulnerable in any release of Junos OS, and XNM-SSL is 
only vulnerable in releases prior to those listed in the Solution section 
above.

In addition to the recommendations listed above, it is good security practice
to limit the exploitable attack surface of critical infrastructure networking
equipment. Use access lists or firewall filters to limit access to the router
via SSL and SSH only from trusted, administrative networks or hosts.

Implementation:

Modification History:

2015-05-29: Initial publication

Related Links:

    The Logjam Attack

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    JSA10679: 2015-04 Security Bulletin: OpenSSL 8th January 2015 advisory

CVSS Score:

4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Risk Level:

Low

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVWuuBhLndAQH1ShLAQINwA//RDTZge+kEmRzc9ru8tHCiBXbnov1lxcg
6JU6ZS05lSmnLD5lsvD93JmzlIrLX6hGPZgqRqpIcxA4pxkKNNSTitFXuBl++l9T
YXDux0w/Jqcis2fCsGOB18FsBt1S+34Fa4I6dI5Rc4LKYjCuwM5QVxZcodKc+GsW
GNuCx26J7e06fReHWTxvtRNH7pEVzMByLsyFrZwv/7OH0f3p2KSpB2RlkYLvDbma
qo2ebHPzw2PPJBPtmImJ3OKO3vWeVSpU9bz3AyuoRCCtlqtB97v+1Ip23TEWfra4
+HXBxQ5f+9zuR+ZQu3YqKcCYy4d0YMRKn0/Jn8X/MyG70BbpoddlhzfjU5fX6Oxm
ib7yylj1ml/bbWumZ4xeO/2N0A0uXWywPBidJASxvtevzIKkGBjiymXuLdkgnpRs
O5lOpf2kk4QOacBQcc454e+essqg8m3jn39vS0/CKjpKEePjhkA4oUoZjeTXnqoh
/Od37g84uE+wylSI/IHJPue+GLqLYMFYIMV7k2kI0ei3LPyn1Ui1zXukxq1UC/qA
nYnvtMlOom4IppMD4maxJATHhkfP36uUQUsbr9aeHdJlvueF7BNuOqzV2/SGewq+
+XAUk/PcL53L6Q7ixwdfdw59Ym2F0Qno4hNODBqwGGeO9qqXd05XYwbzM1lRIuay
8P2q397nd04=
=OPEs
-----END PGP SIGNATURE-----