Juniper Products Affected by Heartbleed OpenSSL Vulnerability

Juniper Products Affected by Heartbleed OpenSSL Vulnerability

Updated 29th April 2014. Some of Juniper Networks products are susceptible to the Heartbleed OpenSSL vulnerability, Juniper have released updates to patch all of these and you should update your product as soon as possible.  If you use any Cisco products (or services) check out the Cisco Heartbleed Vulnerability list here.

While not much good to network administrators, I’ve been sending users to this $1 guide about cyber security, I just wish there was a paper copy so I could have a few kicking around the office: CyberSecurity, Safety and Privacy: 60 Vital Tips to Help Protect Your Personal Security, Identity and Privacy.

 Juniper Products that ARE Vulnerable to Heartbleed

  • Junos OS 13.3R1
  • SSL VPN (IVEOS) 7.4r1 and later, and SSL VPN (IVEOS) 8.0r1 and later
  • UAC 4.4r1 and later, and UAC 5.0r1 and later
  • Junos Pulse (Desktop) 5.0r1 and later
  • Junos Pulse (Desktop) 4.0r5 and later
  • Network Connect (windows only when used in FIPS mode) version 7.4R5 to 7.4R9.1 & 8.0R1 to 8.0R3.1.  
  • Junos Pulse (Mobile) on Android version 4.2R1 and higher
  • Junos Pulse (Mobile when used in FIPS mode) on iOS version 4.2R1 and higher
  • WebApp Secure
  • Odyssey client 5.6r5 and later

Juniper Products NOT Vulnerable to Heartbleed

  • Junos OS 13.2 and earlier
  • Non-FIPS version of Network Connect clients are not vulnerable
  • SSL VPN (IVEOS) 7.3, 7.2, and 7.1 are not vulnerable
  • SRX Series
  • Junos Space
  • NSM
  • Pulse 4.0r4 and earlier
  • QFabric Director
  • CTPView
  • vGW/FireFly Host
  • Firefly Perimeter
  • ScreenOS
  • UAC 4.3, 4.2, and 4.1 are not vulnerable
  • JUNOSe
  • Odyssey client 5.6r4 and earlier are not vulnerable
  • Junos Pulse (Mobile) on iOS (Non-FIPS Mode)
  • WX-Series
  • Junos DDoS Secure
  • STRM/JSA
  • Media Flow Controller
  • SBR Carrier
  • SBR Enterprise
  • Junos Pulse Mobile Security Suite
  • SRC Series
  • Junos Pulse Endpoint Profiler
  • Smart Pass
  • Ring Master
  • ADC
  • Stand Alone IDP
  • CX-Series
  • WL-Series
  • J-Series

Solutions from Juniper

SSL VPN (IVEOS):
Juniper Networks has released IVEOS 8.0R3.2 and 7.4R9.3. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29004UAC:
Juniper Networks has released UAC 5.0r3.2. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007
Juniper Networks has released UAC 4.4r10. For more information surrounding this issue for this platform please see KB: http://kb.juniper.net/KB29007

Odyssey client:
See UAC section as the client update with the fix is pushed from the UAC server.Junos:
Juniper Networks has released Junos OS 13.3R1.8 to resolve this issue.
Customers are encouraged to upgrade to 13.3R1.8 from earlier versions of 13.3R1 to resolve this issue.

Junos Pulse (Desktop):
Juniper Networks has released Pulse Desktop 5.0R3.1 and Pulse Desktop 4.0R9.2. For more information surrounding this issue for this client please see KB: http://kb.juniper.net/KB29004

Junos Pulse (Mobile):
Juniper Networks has released Junos Pulse for Android version 5.0R3 (44997) which is now available for download on the Google Play Store.
Juniper Networks has released Junos Pulse for Apple iOS version 5.0.3.44999 which is available for download from Apple App Store.

WebApp Secure:
Juniper has pushed a software update (5.1.3-30) to systems that will resolve this issue. Please initiate the upgrade to resolve this issue. Release Notes

IDP Signatures:
Juniper has released signatures to detect this issue. The signature released to address Heartbleed vulnerability has been added to a separate category. The signature has NOT been added to the “Recommended” predefined attack group. Please see the following link for more information about our signatures for this issue: http://forums.juniper.net/t5/Security-Mobility-Now/FAQ-Protecting-your-OpenSSL-Server-from-HeartBleed-using-IDP/ba-p/238256

Sigpack 2362 released:
http://signatures.juniper.net/restricted/sigupdates/nsm-updates/updates.xml
http://signatures.juniper.net/restricted/sigupdates/nsm-updates/2362.html

SSL: OpenSSL TLS DTLS Heartbeat Information Disclosure:
http://signatures.juniper.net/documentation/signatures/SSL%3AOPENSSL-TLS-DTLS-HEARTBEAT.html

Note: This advisory will be updated as new information is made available.

KB16765 – “In which releases are vulnerabilities fixed?” describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

 

WORKAROUND:

Junos:

  • Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:
    • Disabling J-Web
    • Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
    • Limit access to J-Web and XNM-SSL from only trusted networks

 

SSL VPN/UAC:

  • Other than downgrading to an unaffected release, there are no workarounds for this issue.
Bob McKay

About Bob McKay

Bob McKay works at Perfect Image, is a father, programmer and a self confessed techie-geek type.

Disclosure Policy

Bob on Google+

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.