Thursday, 19 June 2014

Junos software release 14.1R1


Product Affected:
All Juniper Networks platforms running Junos Operating System software
Alert Description:
This bulletin is to notify Juniper Networks customers that Junos software release 14.1R1 has been released. The software and documentation are available for download from the Juniper networks software download page.
at No comments:

Thursday, 12 June 2014

NetScreen Firewall: DNS lookup issue may cause denial of service

Product Affected:

NetScreen Firewalls
Problem:
A Denial of Service (DoS) issue has been found in Juniper Networks NetScreen Firewall products. When encountered, this issue can cause the device to crash and reboot. If an attacker were to repeatedly exploit the issue a sustained denial of service could take place on the device. The issue is not encountered unless a feature is enabled that requires the device to use its built-in DNS lookup client.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

Solution:
 A software update for ScreenOS has been released to resolve this issue. The release containing the fix includes ScreenOS 6.3r17 and subsequent releases

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Workaround:
 There is no workaround for this issue. An upgrade to a fixed version of the software for the fix.
at 5 comments:

Monday, 9 June 2014

Configuring IS-IS

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IS-IS:
  1. Enable IS-IS if your router is in secure context.
    [edit security forwarding-options family iso]user@R1# set mode packet-based
  2. Create the interface that connects to Device R2, and configure the ISO family on the interface.
    [edit interfaces ge-1/2/0 unit 0]user@R1# set description to-R2user@R1# set family inet address 10.0.0.1/30user@R1# set family iso
  3. Create the loopback interface, set the IP address, and set the NET address.
    [edit interfaces lo0 unit 0]user@R1# set family inet address 192.168.0.1/32user@R1# set family iso address 49.0002.0192.0168.0001.00
  4. Enable IS-IS on the interfaces.
    [edit protocols isis]user@R1# set interface ge-1/2/0.0user@R1# set interface lo0.0

Results

From configuration mode, confirm your configuration by entering the show interfaces, show protocols, and show security commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
user@R1# show security
forwarding-options {family iso {mode packet-based;}}
user@R1# show interfaces
ge-1/2/0 {unit 0 {description to-R2;family inet {address 10.0.0.1/30;}family iso;}}
lo0 {unit 0 {family inet {address 192.168.0.1/32;}family iso {address 49.0002.0192.0168.0001.00;}}}
user@R1# show protocols
isis {interface ge-1/2/0.0;interface lo0.0;}
If you are done configuring the device, enter commit from configuration mode. 


Simple IS-IS Topology
at No comments:

Friday, 6 June 2014

Vulnerabilities in OpenSSL related to ChangeCipherSpec, DTLS, SSL_MODE_RELEASE_BUFFERS and ECDH ciphersuites


Problem:
OpenSSL published an advisory on June 5th regarding following seven vulnerabilities that have been fixed in OpenSSL versions 0.9.8za, 1.0.0m and 1.0.1h.

Following is a summary of vulnerabilities and their status with respect to Juniper products:

CVE-2014-0224 SSL/TLS MITM vulnerability An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
  • Junos OS is vulnerable to this issue (PR 999736).
  • SSL VPN, UAC, Junos Pulse (except non-FIPS version on iOS), Network Connect (except non-FIPS version on Windows) are vulnerable (PR 999726).


CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  • Junos OS is vulnerable to this issue (PR 988917).
  • SSL VPN is vulnerable to this issue (PR 988916).


CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  • Junos OS: This issue has been resolved in all supported versions of Junos. All releases built on or after 2014-05-08 will contain the fix for this issue (PR 984416).
  • SSL VPN: This issue is fixed in IVE OS 8.0r4, and 7.4r11 and all subsequent releases (PR 986446).


CVE-2014-3470 Anonymous ECDH denial of service OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
  • Junos Pulse is not vulnerable to this issue.
  • This issue is being investigated to see if any other Juniper software uses anonymous ECDH ciphersuites as a client.


CVE-2014-0076 ECDSA nonce disclosure using side-channel attack The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
  • Junos OS: releases prior to 13.3 are vulnerable to this issue (PR 982853).


CVE-2014-0221 DTLS recursion flaw By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
  • Juniper SIRT is not aware of any Juniper products that uses DTLS for communication. Juniper products are not vulnerable to this issue.


CVE-2014-0195 DTLS invalid fragment vulnerability A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
  • Juniper SIRT is not aware of any Juniper products that uses DTLS for communication. Juniper products are not vulnerable to this issue.


Juniper is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.

Modification History:
June 5, 2014: Initial release

Solution:
Junos Pulse/SA (SSL VPN)
For more information on solution available for this platform please see KB: http://kb.juniper.net/KB29195

We are currently investigating our product portfolio for affected software and will work to provide fixes for any software that is found to be vulnerable. Any available solution to particular CVEs is listed in the Problem section above.


Workaround:
Junos OS:
Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
  • Disabling J-Web
  • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
  • Limit access to J-Web and XNM-SSL from only trusted network
at No comments:
Subscribe to: Posts (Atom)
loading...