Juniper ScreenOS Vulnerability

21st July 2014

Juniper Screenos is vulnerable to a Denial of Service (DoS) from malformed SSL packets

Date of First Release: 19-05-2014 Date of Last Release: 19-05-2014

Source: Juniper
System Affected: Juniper ScreenOS 6.3

Overview: Juniper ScreenOS 6.3 and earlier allows remote attackers to cause a denial of service (crash and restart or failover) via a malformed SSL/TLS packet.

Description: A denial of service (DoS) issue has been discovered in ScreenOS firewalls that can be exploited by remote unauthenticated attackers. When a malformed SSL/TLS protocol packet is sent to a vulnerable ScreenOS firewall, the firewall crashes and restarts or if in a HA configuration triggers a failover. The issue can be repeatedly exploited to create an extended denial of service condition.Older versions of ScreenOS have reached the end of support milestone and have not been evaluated for the issue, but are likely affected. Customers are advised to upgrade to a fixed supported release once it is made available.

While Juniper has not seen any malicious exploitation of this vulnerability, the packet has been found in normal network activity.

Impact: A remote unauthenticated attacker may be able to produce an extended denial of service against a ScreenOS firewall by repeatedly sending malformed SSL/TLS packets to the device.

Solution: Juniper Networks has released patches to resolve this issue (see the links below):

Note: The fix will also be a part of ScreenOS 6.3.0r17 that is currently under development.

NS-5200/5400 M3, NS-5200/5400 M2, ISG-2000 with IDP, ISG-2000, ISG-1000 with IDP

ISG-1000, SSG-520/SSG-550, SSG-320/SSG-350, SSG-140, SSG-5/20

KB16765 – “In which releases are vulnerabilities fixed?” describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Juniper security advisory JSA10624 recommends the following workaround.

1. Due to the likelihood of the specific packet occurring during normal activity, Juniper recommends disabling WebUI (SSL) and WebAuth (SSL) until a software fix is available. This includes disabling WebUI (SSL) and WebAuth (SSL) even on internal and protected networks.

2. This issue is completely mitigated when WebUI (SSL) and WebAuth (SSL) is disabled.Disabling SSL WebUI (HTTPS) is part of our best practices, as mentioned in KB29016.

Juniper: http: //kb.juniper.net/InfoCenter/index?page=content&id=JSA10624

Leave a Reply

Name (Required)

Email (Required - will not be published)


Message (Required)