Juniper SA VPN Appliance vs. Heartbleed OpenSSL vulnerability

According to some tests on SSL Labs┬áJuniper SA appliances (and client software) ARE vulnerable to the OpenSSL Heartbleed┬ávulnerability. This is confirmed by Juniper in this support document. According to Juniper’s support document:

PROBLEM:
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.

Status of different OpenSSL versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Products

  • Junos OS 13.3R1 (Fixed code is listed in the “Solution” section)
  • SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the “Solution” section)
  • UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later (Fixed code is listed in the “Solution” section)
  • Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Mobile) on Android version 4.2R1 and higher. (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the “Solution” section)
  • WebApp Secure (Fixed code is listed in the “Solution” section)
  • Odyssey client 5.6r5 and later

Source

Leave a Reply