1

Click here to load reader

Juniper heartbleed bug

Embed Size (px)

Citation preview

Page 1: Juniper heartbleed bug

2014-04 OUT OF CYCLE SECURITY BULLETIN: MULTIPLE PRODUCTS AFFECTED BY OPENSSL “HEARTBLEED” ISSUE (CVE-2014-0160)

PROBLEM:The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.

STATUS OF DIFFERENT OPENSSL VERSIONS:• OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable• OpenSSL 1.0.1g is NOT vulnerable• OpenSSL 1.0.0 branch is NOT vulnerable• OpenSSL 0.9.8 branch is NOT vulnerable

VULNERABLE PRODUCTS:• Junos OS 13.3R1 (Fixed code is listed in the “Solution” section)• SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the “Solution” section)• UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the “Solution” section)• Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later (Fixed code is listed in the “Solution” section)• Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS

mode.) (Fixed code is listed in the “Solution” section)• Junos Pulse (Mobile) on Android version 4.2R1 and higher. (Fixed code is listed in the “Solution” section)• Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.)(Fixed code is listed

in the “Solution” section)• WebApp Secure (Fixed code is listed in the “Solution” section)• Odyssey client 5.6r5 and later

PRODUCTS NOT VULNERABLE:• Junos OS 13.2 and earlier is not vulnerable• Non-FIPS version of Network Connect clients are not vulnerable• SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable• SRX Series is not vulnerable• Junos Space is not vulnerable• NSM is not vulnerable• Pulse 4.0r4 and earlier is not vulnerable• QFabric Director is not vulnerable• CTPView is not vulnerable• vGW/FireFly Host is not vulnerable• Firefly Perimeter is not vulnerable• ScreenOS is not vulnerable• UAC 4.3, 4.2, and 4.1 are not vulnerable• JUNOSe is not vulnerable

PRODUCTS CURRENTLY UNDER INVESTIGATION:• Stand Alone IDP

Juniper continues to investigate this issue and as new information becomes available this document will be updated.This issue has been assigned CVE-2014-0160.

• Odyssey client 5.6r4 and earlier are not vulnerable• Junos Pulse (Mobile) on iOS (Non-FIPS Mode)• WX-Series is not vulnerable• Junos DDoS Secure is not vulnerable• STRM/JSA is not vulnerable• Media Flow Controller is not vulnerable• SBR Carrier is not vulnerable• SBR Enterprise is not vulnerable• Junos Pulse Mobile Security Suite is not vulnerable• SRC Series is not vulnerable• Junos Pulse Endpoint Profiler is not vulnerable• Smart Pass is not vulnerable• Ring Master is not vulnerable• ADC is not vulnerable

Heartbleed Bug Vulnerability: Discovery, Impact and Solution

Heartbleed Bug Vulnerability: Discovery, Impact and Solution

Technology
CDO - Cyber Risk Reporting - BT Broadband · Heartbleed hacks hit Mumsnet and Canada's tax agency ... 50 million Android phones may be affected Heartbleed Bug: Public urged to change

CDO - Cyber Risk Reporting - BT Broadband · Heartbleed hacks hit Mumsnet and Canada's tax agency ... 50 million Android phones may be affected Heartbleed Bug: Public urged to change

Documents
Cenni su SSL/TLS Heartbleed

Cenni su SSL/TLS Heartbleed

Science
Heartbleed Overview

Heartbleed Overview

Technology
Heartbleed && Wireless

Heartbleed && Wireless

Technology
The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library

The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library

Documents
Gestion des vulnérabilités logicielles - OSSIR · Heartbleed Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's

Gestion des vulnérabilités logicielles - OSSIR · Heartbleed Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's

Documents
Heartbleed breach - Is your website vulnerable?

Heartbleed breach - Is your website vulnerable?

Internet
DevOps Boston - Heartbleed at Acquia

DevOps Boston - Heartbleed at Acquia

Technology
Heartbleed Bug: Prevent Attacks Before They Begin

Heartbleed Bug: Prevent Attacks Before They Begin

Technology
image: Marsmettnn Tallahassee Heartbleed & staying …findhorn.cc/wp-content/uploads/2014/11/WPFH-security-heartbleed... · Heartbleed & staying secure online ... April 2014, by Mark

image: Marsmettnn Tallahassee Heartbleed & staying …findhorn.cc/wp-content/uploads/2014/11/WPFH-security-heartbleed... · Heartbleed & staying secure online ... April 2014, by Mark

Documents
DrupalGov2014 Heartbleed

DrupalGov2014 Heartbleed

Presentations & Public Speaking
[QA Night Recife] Heartbleed SecInf

[QA Night Recife] Heartbleed SecInf

Software
HEARTBLEED ATTACK

HEARTBLEED ATTACK

Documents
Embedded application designed by ATS languageRemember Heartbleed bug? Should we use safer language than C? == In English == "Preventing heartbleed bugs with safe programming languages"

Embedded application designed by ATS languageRemember Heartbleed bug? Should we use safer language than C? == In English == "Preventing heartbleed bugs with safe programming languages"

Documents
Cybercalypse , HeartBleed : Is our Government Listening

Cybercalypse , HeartBleed : Is our Government Listening

Documents
Risk Assessment of Buffer “Heartbleed” Over-read ... · specific Heartbleed bug. As an emerging type of vulnerability, we need more research on the mitigation of the buffer over-read

Risk Assessment of Buffer “Heartbleed” Over-read ... · specific Heartbleed bug. As an emerging type of vulnerability, we need more research on the mitigation of the buffer over-read

Documents
Sunrise pc support heartbleed scam alert

Sunrise pc support heartbleed scam alert

Documents
d Neel Mehta, Google Security - IT Today · discovers the Heartbleed vulnerability Friday, March 21 ... about a bug existing in ... heartbleed_infographic

d Neel Mehta, Google Security - IT Today · discovers the Heartbleed vulnerability Friday, March 21 ... about a bug existing in ... heartbleed_infographic

Documents
Heartbleed Bug Infographic

Heartbleed Bug Infographic

Documents
Sullivan heartbleed-defcon22 2014

Sullivan heartbleed-defcon22 2014

Internet
CHERI - University of Cambridge · PDF fileMotivation The Eternal War in Memory* Example bug: Heartbleed allows attackers to eavesdrop on communications, steal data directly from the

CHERI - University of Cambridge · PDF fileMotivation The Eternal War in Memory* Example bug: Heartbleed allows attackers to eavesdrop on communications, steal data directly from the

Documents
Heartbleed Bug: What It Is And How To Protect Yourself

Heartbleed Bug: What It Is And How To Protect Yourself

Technology
Report on Heartbleed

Report on Heartbleed

Education
The Heartbleed Bug

The Heartbleed Bug

Education
Security Vulnerabilities: Heartbleed & Buffer Overflow

Security Vulnerabilities: Heartbleed & Buffer Overflow

Engineering
Understanding heartbleed by Dustin Noe

Understanding heartbleed by Dustin Noe

Technology
The Heartbleed Hit List

The Heartbleed Hit List

Documents
Heartbleed Bug Advisory (CVE-2014-0160)accuvantstorage.blob.core.windows.net/web/file/... · Heartbleed Bug Advisory (CVE-2014-0160) 3 Revision: 1.1 Technical Summary The Heartbleed

Heartbleed Bug Advisory (CVE-2014-0160)accuvantstorage.blob.core.windows.net/web/file/... · Heartbleed Bug Advisory (CVE-2014-0160) 3 Revision: 1.1 Technical Summary The Heartbleed

Documents
Cyber-security tips: the heartbleed bug

Cyber-security tips: the heartbleed bug

Technology