Also, Qualys / SSL Labs has updated their free SSL test engine to check for the Heartbleed vulnerability. I was able to confirm that 7.4r7 is vulnerable and that 7.4r9.1 is not.

https://www.ssllabs.com/ssltest/

Has Juniper recommended to anyone that customers replace their existing SSL certificates once they are upgraded to 7.4r9.1 and no longer vulnerable?

The JTAC engineers I've dealt with so far have not specifically recommended replacing certs. I plan on doing so once I have safe working code. The last section of kb29004 does mention certificate replacement.

The HC disconnects I observed were all in the range of 10-20 minutes after initial connection. Our config uses ESP and in this scenario, HC establishes a separate SSL connection at login. With 7.4R5, a healthy system has one ESP connection and one SSL connection established for the duration. Testing more to see if this is different in 7.4R9.1.

---

@alanl wrote:

Checking on our 4 yr old Juniper SA700, it is running 7.0R6    

From the Juniper CVE-2014-0160 KB article it says

 

Vulnerable Products:
SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later

Products Not Vulnerable

SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable

 

But is doesn't say anything about older versions such as 7.0 and older.

Does anyone know if this means version older than 7.3 are NOT vulnerable to this issue?

 

 

 

 

---

 I believe that older versions are not vulnerable because they do not support TLS 1.2.  A scan shows one of our older devices not being vulnerable.

Wavetrain, I'm not seeing any negative issues so far. I have a few different realms configured as follows.

Corp PC - Uses NetConnect, rewriter, and Juniper TS client

Home PC - Uses rewriter, Juniper TS client, and Citrix with the CTX client

Mac - Uses rewriter and Hob Java RDP client

All three realms use HC to various degrees. No time outs or loops so far.

Hi Guys,

I see 7.4R9.2 is now out. Anyone testing this yet? I'm applying 7.4R9.1 to my lab device this morning.

Thanks

Natasha

I just finished applying 7.4r9.1 to several production servers. It looks like the 7.4r9.2 code addresses issues with NC when run in FIPS mode.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=JSA10623&smlogin=true

Now that we patched the IVEOS and installed new cert on SA/MAG, can any Juniper SSL-VPN expert explain to me how the user authentication information is transmitted to the SA/MAG device? is it clear text over SSL or only a password hash is transmitted? in either case, are username/password saved in memory? because attacker can dump server memory, anything saved in memory could have been exploited, it is going to be a huge pain to force everybody to change their active directory password.

jdu,

I hope this image could enlighten you.