[ Juniper ] Information Disclosure Vulnerability in OpenSSL (Heartbleed)

Details:
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as “The Heartbleed Bug”.
This Bug impact is rated HIGH Status of different OpenSSL versions:
For further information on this vulnerability, please visit URLs below:
Vulnerable Juniper Products
Impacted Product Line Resolution Related Knowledgebase Item
Junos: Juniper Networks has released Junos OS 13.3R1.8 to resolve this issue. Customers are encouraged to upgrade to 13.3R1.8 from earlier versions of 13.3R1 to resolve this issue. N/A
SSL VPN (IVEOS): Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.3. http://kb.juniper.net/KB29004
UAC: Juniper Networks has released UAC 5.0r3.2. http://kb.juniper.net/KB29007
Junos Pulse (Desktop): Juniper Networks has released Pulse Desktop 5.0R3.1 and Pulse Desktop 4.0R9.2. http://kb.juniper.net/KB29004
Junos Pulse (Mobile): Juniper Networks has released Junos Pulse for Android version 5.0R3 (44997) which is now available for download on the Google Play Store. Juniper Networks has released Junos Pulse for Apple iOS version 5.0.3.44999 which is available for download from Apple App Store.
WebApp Secure: Juniper has pushed a software update (5.1.3-30) to systems that will resolve this issue. Please initiate the upgrade to resolve this issue https://www.juniper.net/techpubs/en_US/webapp5.1.3/information-products/topic-collections/webapp-secure-5.1.3-30-release-notes.pdf
Firmware upgrade for above mentioned products should be done immediately to avoid impact.
IPS signature pack has been released to detect this vulnerability – IPS signature database should also be updated.
Temporary Workaround (before OS UPGRADE)
Junos:
  • Disabling J-Web
  • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks
SSL VPN/UAC: Other than upgrading/downgrading to an unaffected release, there are no workarounds for this issue. Immediate action required to verify all internet facing servers are patched and also ensure all Perimeter security services are using updated HeartBleed signatures to detect and prevent abusing the vulnerability for internal and external threats. Online OpenSSL vulnerability checker https://lastpass.com/heartbleed/

NEW BUG UNCOVERED – a vulnerability which exists in OpenSSL has recently been uncovered. The vulnerability is an information disclosure bug which is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.

Details:

The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as “The Heartbleed Bug”.
This Bug impact is rated HIGH Status of different OpenSSL versions:
Vulnerable Juniper Products
Impacted Product Line Resolution Related Knowledgebase Item
Junos: Juniper Networks has released Junos OS 13.3R1.8 to resolve this issue. Customers are encouraged to upgrade to 13.3R1.8 from earlier versions of 13.3R1 to resolve this issue. N/A
SSL VPN (IVEOS): Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.3. http://kb.juniper.net/KB29004
UAC: Juniper Networks has released UAC 5.0r3.2. http://kb.juniper.net/KB29007
Junos Pulse (Desktop): Juniper Networks has released Pulse Desktop 5.0R3.1 and Pulse Desktop 4.0R9.2. http://kb.juniper.net/KB29004
Junos Pulse (Mobile): Juniper Networks has released Junos Pulse for Android version 5.0R3 (44997) which is now available for download on the Google Play Store. Juniper Networks has released Junos Pulse for Apple iOS version 5.0.3.44999 which is available for download from Apple App Store.
WebApp Secure: Juniper has pushed a software update (5.1.3-30) to systems that will resolve this issue. Please initiate the upgrade to resolve this issue https://www.juniper.net/techpubs/en_US/webapp5.1.3/information-products/topic-collections/webapp-secure-5.1.3-30-release-notes.pdf
Firmware upgrade for above mentioned products should be done immediately to avoid impact.
IPS signature pack has been released to detect this vulnerability – IPS signature database should also be updated.
Temporary Workaround (before OS UPGRADE)
Junos:
  • Disabling J-Web
  • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks
SSL VPN/UAC: Other than upgrading/downgrading to an unaffected release, there are no workarounds for this issue. Immediate action required to verify all internet facing servers are patched and also ensure all Perimeter security services are using updated HeartBleed signatures to detect and prevent abusing the vulnerability for internal and external threats. Online OpenSSL vulnerability checker https://lastpass.com/heartbleed/

NEW BUG UNCOVERED – a vulnerability which exists in OpenSSL has recently been uncovered. The vulnerability is an information disclosure bug which is due to an error when handling TLS/DTLS heartbeat packets. An attacker can leverage this vulnerability to disclose memory contents of a connected client or server.