News

Juniper SA VPN Appliance vs. Heartbleed OpenSSL vulnerability

According to some tests on SSL Labs Juniper SA appliances (and client software) ARE vulnerable to the OpenSSL Heartbleed vulnerability. This is confirmed by Juniper in this support document. According to Juniper’s support document:

PROBLEM:
The TLS and DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information (such as private keys, username and passwords, or contents of encrypted traffic) from process memory via crafted packets that trigger a buffer over-read. This issue is also known as The Heartbleed Bug.

Status of different OpenSSL versions:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL 1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL 0.9.8 branch is NOT vulnerable

Vulnerable Products

  • Junos OS 13.3R1 (Fixed code is listed in the “Solution” section)
  • SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later (Fixed code is listed in the “Solution” section)
  • UAC 4.4r1 and later, and UAC 5.0r1 and later (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Desktop) 5.0r1 and later, and Junos Pulse (Desktop) 4.0r5 and later (Fixed code is listed in the “Solution” section)
  • Network Connect (windows only) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Mobile) on Android version 4.2R1 and higher. (Fixed code is listed in the “Solution” section)
  • Junos Pulse (Mobile) on iOS version 4.2R1 and higher. (This client is only impacted when used in FIPS mode.) (Fixed code is listed in the “Solution” section)
  • WebApp Secure (Fixed code is listed in the “Solution” section)
  • Odyssey client 5.6r5 and later

Source

Netscaler vs CVE-2014-0160 (Heartbleed) OpenSSL vulnerability

Yesterday a lot of attention was created about the latest OpenSSL vulnerability (CVE-2014-0160). This vulnerability exposes a lot of SSL implementations to a great risk because OpenSSL is a very popular SSL implementation and used in a great range of Unix/Linux based application and appliances.

Being very busy with Citrix Netscaler lately I immediately recognized the great potential risk of this vulnerability because Netscaler Firmware also uses this OpenSSL implementation. So I investigated this risk based on my own up-to-date netscaler firmware (124.13) to find out if this firmware version and possible older versions are vulnerable to this  CVE-2014-0160 (Heartbleed) bug.

  • 1st test I did was browsing to a site that checks your site for this specific vulnerability  http://filippo.io/Heartbleed the result of the test was not very conclusive “write tcp xxx.xxx.xxx.xxx:443: broken pipe”

After this check I wondered which versions of OpenSSL are affected by this vulnerability according to OpenSSL.org own site the vulnerability exists in versions: 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1

So my immediately I logged in to Netscaler’s SSH console and entered the following commands:

  •  > shell
  • # openssl version

This command resulted in the OpenSSL response: “OpenSSL 0.9.7e-p1 25 Oct 2004”

So i’m very glad to see that the latest version of Netscaler’s  firmware 124.13 does not contain this vulnerability. However I’m shocked by the ancient version of OpenSSL (release date 25 Oct 2004!!!!) that is used by this latest Netscaler firmware. There is a whole list of vulnerabilities that have been repaired since.

Update 1 09-042014 : Citrix’s security team seams to confirm that Netscaler is not at risk. A public statement has not yet been released.

Update 2 09-042014 : Citrix now officially announces Citrix Netscaler/Access Gateway/StoreFront products are NOT vulnerable to CVE-2014-0160 the Citrix support document can be found here

2012 A New Year – Many Good Intentions

2012 has already started for some days now, So let me summarize 2011 and give you all a glimpse into 2012, without being dramatic about it 2011 was certainly a memorable year.

  • Busy with the preparation for the start up of my Company.
  • Our beautiful daugther was born [March]
  • I totally ruptured my Achilles tendon [April]
  • I quit my Job [April]
  • I Started FRN Consultants [June]
  • My first project as consultant for FRN Consultants [June]
  • Still recovering from the ruptured Achilles tendon [December]

A lot of happy moments and some not so happy moments, that how 2011  can be summarized. Probably like anyone else I have some good intentions for 2012. I will do my utmost to fulfill these, so here they are in no particular order:

  • Not rupture my Achilles tendon (ever) again.
  • Participate in interesting projects.
  • Publish more  posts to this blog.
  • Lose some weight.

I really do no want to rupture my achilles tendon again, because it really takes a lot of time to recover, It happened 2nd of April 2011 during a game of futsal (indoor soccer). Not even a month after the birth of our daughter so I unintentionally gave my girlfriend a really hard time and almost a year later i’m still recovering with the help of the physiotherapist (last week I just started running again). I do need to start running because i’ve gained some weight.

Some say 2012 is going to be a tough year Business wise, I really hope I can participate in challanging and interresting projects as a IT consultant, but also I want to explore other businesses as well. I’ve invested in some internet related “projects” which will hopefully make some profit at the end of the year.  so now and then take a look at:

Last but not least I hope to publish more content to this website than I did in 2011, I very busy with powershell lately so I plan to put scripts on this or other website.

I wish you all the best in 2012 and hope you’ll return to this website regularly. If you have any question/inquiries please don’t hesitate and contact me.

Best regards,

Leon

Fraudulent (Nigerian) Buyers

OK, No technical blogpost this time, its all about (Nigerian) fraudulent buyers active on 2nd hand websites like marktplaats.nl. This story starts when I decided to create an ad on the dutch 2nd hand website marktplaats.nl when I wanted to sell my DSLR camera. Only few hours after placing the ad I got an reaction (in poor  dutch) by mail from Janine (janinejinwood@hotmail.com) :

“Hallo, Mag ik weten waarom je verkoopt dit item? Zoals ik interested.Kindly ik weer terug naar Mij. “

Initially I remarked the poor dutch language but I replied (in dutch):

“Beste Janine, De reden dat ik hem wil verkopen is omdat ik zelf een andere wil gaan halen.”

Within a few minutes a received this reply:

Hello There Leon,
Thanks for the reply.Having gone through the item,I want you to know that,I am satisfy with condition and the price of the item.I live in Groningen, but I wouldnt be able to meet you for collection due to the nature of My Job and moreover I am buying this item for My god-son who just graduated abroad as a gift .Due to this,I have made inquiry from Postnl  the postage cost of the item abroad and I was told €45.I will appreciate if you can help Me send the item directly to him.I have set up a PayPal account so I can pay you with.Kindly Request the payment to:janinejinwood@hotmail.com

As soon as I receive the request I will get payment done.
Janine.J.

From this moment I thought there was something wrong because:

1. I put the camera on marktplaats.nl as an bid item so there was no selling condition
2. She asked me to send the camera directly abroad. (without inspecting a 300+ euro item)

So I replied to “her” on purpose in dutch:

“Bedankt voor je interesse in de camera, maar zoals je gezien hebt heb ik de advertentie als “veiling” op Marktplaats gezet. Ik wil je daarom uitnodigen een bod te plaatsen, Wanneer er een bod is geplaatst waartegen ik het item wil verkopen dan zal ik contact opnemen met degene die dat bod heeft geplaatst. De camera staat nog geen 24 uur op Marktplaats en wil daarom afwachten hoeveel biedingen het op gaat leveren. Als je soortgelijke advertenties bekijkt op marktplaats dan zit de verkoop prijs van die advertenties rond de 400 – 500 euro. Nogmaals nodig ik je uit een bod te plaatsen.”

Almost instantly I got this reply:

“I dont have the time to place bid,I want to pay you €455”

This offer was exactly what I was looking for but I already became hesitant so I replied:

“I agree on the price of 455 euro’s, but I will have to send it to Groningen. (because of legal issues) “

Again Instantly I got a reply:

“I want it sent abroad as I have no time to send it Myself.What legal issue?”

Still hesitating I replied, I wanted some warranty about the transaction:

“I’m not sure if I receive confirmation the item has been received, if it’s send abroad?  Where should it be sent to?”

Also this time I almost instantly got this reply:

“Sure it will definitely get to its destination as this not the first time sending things to the place.

Festus Adams
3,Anuoluwapo Street,Off Market
Shomolu
Lagos
Nigeria
23401

I await your request.”

At this time all alarm bells where ringing big time because I was reading about this fraud not so long ago.  so I sent this mail to bail out of the deal.
“Due to recent (Nigerian)scam pratices I will not send you the payment request and neither the camera.
After sending this mail I reported this activity to the support team of marktplaats.nl, After only few hours they responded it was indeed an fraudulent buyer and the banned the e-mail address from the website.

 

 

 

RES Launches VDX

Today RES Software launched their RES Virtual Desktop Extender (VDX). The patented product offers companies the unique  oppertunity to seamlessly extend the virtual desktop with resources that are available locally (DVD Burner, resource intensive applications) With VDX local and virtual resources are available to the user without having to switch (desktop) session.
Visit their website for more information or download the Virtual Desktop eXtender Brochure (573).

Citrix accuses VMWare of lying. (updated)

What an interesting start of the week, today Citrix’s desktop CTO Harry Labana wrote a blog post accusing VMware of lying while refering to a Gartner Report about the TCO of SBC comparing to (un)managed desktops. In this article about VMware’s View, the company refers tho the report and insinuates that VMWare View incorporates SBC technology (which it doesn’t).

As you might know, one of the big differences between VMware’s and Citrix’s desktop virtualization solutions is that  Citrix XenDesktop incorporates VDI/Desktop virtualization capabilities but also includes XenApp which delivers shared Terminal Server-based desktops and applications. While VMware View only incorporates  VDI/desktop virtualization.

Therefore their press release is inaccurate and subject to rectification, in my opinion.

Stay tuned for more….

UPDATE: Brian Madden also picked up the story and has some background information, he also responds to the reaction from VMWare.

The recent joint announcement between Wyse and VMware, on February 9, featured a quote by Gartner looking at the TCO benefits associated with server-based computing (SBC). The Wyse portfolio of thin, zero and cloud PC client solutions supports both SBC and VDI. It is appropriate for Wyse to choose the feature this when talking about their products. VMware’s portion of the announcement featured customer momentum and results related to our portfolio of desktop and application virtualization technologies.

Who knows if it was on purpose or an oversight? They’ll claim it was a mistake. The conspiracy theorists will believe otherwise. If you asked me over a beer I’d tell you that I don’t believe they did it on purpose, but that it was not wise to respond with the statement they used. Instead they should have put a new quote with VDI-specific data in it and reissued the press release. Then they’d be done. But now we’re left with a release where TS is doing the heavy lifting to power the “success” of the TCO savings of VDI. And that’s exactly what I accused them of doing three years ago, which I wish was a thing of the past.

Also Harry Labana responded on his blog to VMWare’s reaction:

Fundamentally VMware is trying to defend an inaccurate press release. After a history of getting away with elastic facts, getting caught twice, the appropriate thing to do would be to retract the statement and claims of SBC having anything to do with VMware.

Goodbye 2010, Hello 2011

Last weekend we said goodbye to 2010 and welcomed 2011. I hope that everyone has a very happy, healthy and successful new year. This year I will start up my own business and hopefully participate in several very interesting projects.

RES Wisdom 2009 Certified Professional (RWCP 2009)

One week after passing the RES Workspace Manager Leon also passed the RES Wisdom exam (RWBX-200) and became a RES Wisdom 2009 Certified Professional.

RES PowerFuse 2010 Certified Professional (RPFCP 2010)

Today Leon displayed  his excellent knowlegde of  Workspace Manager by passing the RES Workspace Manager exam (RPFBX-300). Although he works with RES products for a long time, he actually never took the time to take the exam. however he was confident of the level of his knowledge the outcome of the exam is alway’s uncertain.