cancel
Showing results for 
Search instead for 
Did you mean: 

Please confirm whether your firmware is affected by the new OpenSSL defect

Highlighted
Not applicable

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Checking on our 4 yr old Juniper SA700, it is running 7.0R6    

From the Juniper CVE-2014-0160 KB article it says

 

Vulnerable Products:
SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later


Products Not Vulnerable

SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable

 

But is doesn't say anything about older versions such as 7.0 and older.

Does anyone know if this means version older than 7.3 are NOT vulnerable to this issue?

 

 

 

Highlighted
Frequent Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Wavetrain2013, I did not see any HC issues in my testing, but I will re-test to be sure.

 

 

Also, Qualys / SSL Labs has updated their free SSL test engine to check for the Heartbleed vulnerability. I was able to confirm that 7.4r7 is vulnerable and that 7.4r9.1 is not.

 

https://www.ssllabs.com/ssltest/

 

Highlighted
Frequent Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Has Juniper recommended to anyone that customers replace their existing SSL certificates once they are upgraded to 7.4r9.1 and no longer vulnerable?

Highlighted
Occasional Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

The JTAC engineers I've dealt with so far have not specifically recommended replacing certs. I plan on doing so once I have safe working code. The last section of kb29004 does mention certificate replacement.

 

The HC disconnects I observed were all in the range of 10-20 minutes after initial connection. Our config uses ESP and in this scenario, HC establishes a separate SSL connection at login. With 7.4R5, a healthy system has one ESP connection and one SSL connection established for the duration. Testing more to see if this is different in 7.4R9.1.

Highlighted
Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect


@alanl wrote:

Checking on our 4 yr old Juniper SA700, it is running 7.0R6    

From the Juniper CVE-2014-0160 KB article it says

 

Vulnerable Products:
SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later


Products Not Vulnerable

SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable

 

But is doesn't say anything about older versions such as 7.0 and older.

Does anyone know if this means version older than 7.3 are NOT vulnerable to this issue?

 

 

 

 


 I believe that older versions are not vulnerable because they do not support TLS 1.2.  A scan shows one of our older devices not being vulnerable.

Highlighted
Frequent Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Wavetrain, I'm not seeing any negative issues so far. I have a few different realms configured as follows.

 

Corp PC - Uses NetConnect, rewriter, and Juniper TS client

Home PC - Uses rewriter, Juniper TS client, and Citrix with the CTX client

Mac - Uses rewriter and Hob Java RDP client

 

All three realms use HC to various degrees. No time outs or loops so far.

Highlighted
Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Hi Guys,

 

I see 7.4R9.2 is now out. Anyone testing this yet? I'm applying 7.4R9.1 to my lab device this morning.

 

Thanks

 

Natasha

 

Highlighted
Frequent Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

I just finished applying 7.4r9.1 to several production servers. It looks like the 7.4r9.2 code addresses issues with NC when run in FIPS mode.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=JSA10623&smlogin=true

Highlighted
Occasional Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

Now that we patched the IVEOS and installed new cert on SA/MAG, can any Juniper SSL-VPN expert explain to me how the user authentication information is transmitted to the SA/MAG device? is it clear text over SSL or only a password hash is transmitted? in either case, are username/password saved in memory? because attacker can dump server memory, anything saved in memory could have been exploited, it is going to be a huge pain to force everybody to change their active directory password.

Highlighted
Frequent Contributor

Re: Please confirm whether your firmware is affected by the new OpenSSL defect

jdu,

 

I hope this image could enlighten you.

 

Selection_997.png