The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of NetScreen IVE

computer vulnerability announce CVE-2012-2131 CVE-2013-0166 CVE-2013-0169

Juniper Junos Pulse SA, IVE, UAC: multiple vulnerabilities of OpenSSL

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL of Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC).
Impacted products: IVE OS, Junos Pulse, Juniper SA, Juniper UAC.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 12/09/2013.
Identifiers: CERTA-2013-AVI-527, CVE-2012-2131, CVE-2013-0166, CVE-2013-0169, JSA10591, VIGILANCE-VUL-13417.

Description of the vulnerability

Several vulnerabilities were announced in Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC).

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL 0.9.8, in order to corrupt the memory, which leads to a denial of service or to code execution (VIGILANCE-VUL-11564). [severity:3/4; CVE-2012-2131]

An attacker can inject wrongly encrypted messages in a TLS/DTLS session in mode CBC, and measure the delay before the error message reception, in order to progressively guess the clear content of the session (VIGILANCE-VUL-12394). [severity:1/4; CVE-2013-0169]

An attacker can setup a malicious OCSP server, in order to stop OpenSSL applications which connect (VIGILANCE-VUL-12378). [severity:2/4; CVE-2013-0166]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2013-5650

Juniper Junos Pulse SA, IVE, UAC: denial of service via SSL Acceleration Card

Synthesis of the vulnerability

When a SSL Acceleration Card is installed on Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC), an attacker can send a malformed packet, in order to trigger a denial of service.
Impacted products: IVE OS, Junos Pulse, Juniper SA, Juniper UAC.
Severity: 3/4.
Consequences: denial of service on server.
Provenance: internet client.
Creation date: 12/09/2013.
Identifiers: BID-62354, CERTA-2013-AVI-527, CVE-2013-5650, JSA10590, VIGILANCE-VUL-13416.

Description of the vulnerability

A SSL Acceleration Card can be installed on Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC).

However, in this case, a special packet blocks the system.

When a SSL Acceleration Card is installed on Junos Pulse Secure Access Service (IVE) and Junos Pulse Access Control Service (UAC), an attacker can therefore send a malformed packet, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2013-5649

Juniper Junos Pulse SA, IVE: Cross Site Scripting

Synthesis of the vulnerability

An attacker can trigger a Cross Site Scripting of Juniper Junos Pulse Secure Access, in order to execute JavaScript code in the context of the web site.
Impacted products: IVE OS, Junos Pulse, Juniper SA.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Creation date: 12/09/2013.
Identifiers: BID-62353, CERTA-2013-AVI-527, CVE-2013-5649, JSA10589, VIGILANCE-VUL-13415.

Description of the vulnerability

The Juniper Networks SSL VPN product has a web server.

However, it does not filter received data before inserting them in generated HTML documents.

An attacker can therefore trigger a Cross Site Scripting of Juniper Junos Pulse Secure Access, in order to execute JavaScript code in the context of the web site.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-3970

Juniper SA, UAC: site spoofing via Trusted Server CA Root

Synthesis of the vulnerability

An attacker, who has access to the development certification authority of Juniper, can create a fake site, which is not detected by Junos Pulse Secure Access Service (SSL VPN) nor Junos Pulse Access Control Service (UAC).
Impacted products: IVE OS, Juniper SA, Juniper UAC.
Severity: 2/4.
Consequences: client access/rights.
Provenance: internet server.
Creation date: 14/06/2013.
Identifiers: BID-60521, CVE-2013-3970, JSA10571, VIGILANCE-VUL-12979.

Description of the vulnerability

The Junos Pulse Secure Access Service (SSL VPN) and Junos Pulse Access Control Service (UAC) products contain a list of trusted certification authorities. So, when a site has a certificate published by one of these CA, the user does not see a warning.

However, the development root certificate Juniper was integrated in some production versions of Juniper products.

An attacker, who has access to the development certification authority of Juniper, can therefore create a fake site, which is not detected by Junos Pulse Secure Access Service (SSL VPN) nor Junos Pulse Access Control Service (UAC).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-2110

OpenSSL: memory corruption via asn1_d2i_read_bio

Synthesis of the vulnerability

An attacker can use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Junos Space, Juniper SA, Juniper SBR, Mandriva Linux, NetBSD, NetScreen Firewall, ScreenOS, OpenBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 19/04/2012.
Identifiers: 1643316, BID-53158, c03333987, CERTA-2012-AVI-224, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CERTA-2012-AVI-479, CERTFR-2014-AVI-480, CERTFR-2016-AVI-300, CVE-2012-2110, DSA-2454-1, ESX350-201302401-SG, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-6395, FEDORA-2012-6403, FreeBSD-SA-12:01.openssl, HPSBUX02782, JSA10659, KB27376, MDVSA-2012:060, NetBSD-SA2012-001, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, PSN-2013-03-872, PSN-2013-05-941, RHSA-2012:0518-01, RHSA-2012:0522-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL16285, SSRT100844, SUSE-SU-2012:0623-1, SUSE-SU-2012:0637-1, SUSE-SU-2012:1149-1, SUSE-SU-2012:1149-2, VIGILANCE-VUL-11559, VMSA-2012-0003.1, VMSA-2012-0005.2, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013, VMSA-2012-0013.1, VMSA-2013-0001.2, VMSA-2013-0003.

Description of the vulnerability

X.509 certificates are encoded with ASN.1 (Abstract Syntax Notation).

OpenSSL uses BIO, which are data streams where a program can write or read.

The asn1_d2i_read_bio() function of OpenSSL decodes ASN.1 data coming from a BIO.

However, this function converts ("cast") size of ASN.1 objects to signed integers (where as "size_t" is unsigned). If the announced size of an object is greater than 0x80000000, an allocation error thus occurs, and the memory is corrupted.

The asn1_d2i_read_bio() function is used by several OpenSSL functions. Note: SSL/TLS clients/servers do not use this function, and are thus not vulnerable (there are exceptions if d2i_X509_bio() is called). However, S/MIME or CMS applications are vulnerable.

An attacker can therefore use malformed ASN.1 data, with an application linked to OpenSSL, in order to corrupt the memory, which leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-4619

OpenSSL: denial of service via SGC

Synthesis of the vulnerability

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.
Impacted products: BIG-IP Hardware, TMOS, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, OpenSSL, openSUSE, Solaris, JBoss EAP by Red Hat, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 13/03/2012.
Identifiers: 1643316, c03333987, CERTA-2012-AVI-286, CERTA-2012-AVI-479, CVE-2011-4619, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FreeBSD-SA-12:01.openssl, HPSBUX02782, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15389, SOL15461, SSRT100844, VIGILANCE-VUL-11428, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

The SGC (Server Gated Cryptography) technology processes weak algorithms/keys. It is considered as obsolete.

An attacker can use the handshake restart feature of SGC without the Client Hello message, in order to create a denial of service.

This vulnerability results from a bad correction for CVE-2011-4619 (VIGILANCE-VUL-11257).
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-0884

OpenSSL: Bleichenbacher attack on CMS and PKCS7

Synthesis of the vulnerability

The Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Impacted products: IPSO, Debian, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, Mandriva Linux, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data reading.
Provenance: document.
Creation date: 12/03/2012.
Identifiers: 1643316, BID-52428, c03333987, CERTA-2012-AVI-134, CERTA-2012-AVI-286, CERTA-2012-AVI-419, CVE-2012-0884, DSA-2454-1, FEDORA-2012-4659, FEDORA-2012-4665, FreeBSD-SA-12:01.openssl, HPSBUX02782, MDVSA-2012:038, openSUSE-SU-2012:0547-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0426-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, sk76360, SSRT100844, SUSE-SU-2012:0479-1, VIGILANCE-VUL-11427.

Description of the vulnerability

The PKCS#7 format is used to represent a signed or encrypted document. CMS (Cryptographic Message Syntax) is an improvement of PKCS#7. S/MIME used PKCS#7, and now uses CMS. TLS/SSL does not use PKCS#7 nor CMS.

In 1998, Daniel Bleichenbacher proposed an attack to detect if clear data belong to encrypted data in a PKCS#1 block. This attack is named "Million Message Attack" because it requires to query an oracle numerous times.

However, the Bleichenbacher attack can be used against the OpenSSL implementation of CMS and PKCS#7, in order to obtain clear text information, using 2^20 messages.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2011-4108 CVE-2011-4109 CVE-2011-4576

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several OpenSSL vulnerabilities, in order to obtain information, to create a denial of service, and possibly to execute code.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, Tivoli Workload Scheduler, IVE OS, Junos Pulse, Juniper SA, Mandriva Linux, NetBSD, OpenSSL, openSUSE, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, ESX, ESXi, VMware vSphere, VMware vSphere Hypervisor.
Severity: 3/4.
Consequences: user access/rights, data reading, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 05/01/2012.
Identifiers: 1643316, BID-51281, c03141193, CERTA-2012-AVI-006, CERTA-2012-AVI-171, CERTA-2012-AVI-479, CVE-2011-4108, CVE-2011-4109, CVE-2011-4576, CVE-2011-4577, CVE-2011-4619, CVE-2012-0027, DSA-2390-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, ESXi410-201208101-SG, ESXi500-201212102-SG, FEDORA-2012-0232, FEDORA-2012-0250, FreeBSD-SA-12:01.openssl, HPSBUX02734, MDVSA-2012:006, MDVSA-2012:007, openSUSE-SU-2012:0083-1, openSUSE-SU-2013:0336-1, openSUSE-SU-2013:0337-1, openSUSE-SU-2013:0339-1, PSN-2012-09-712, RHSA-2012:0059-01, RHSA-2012:0060-01, RHSA-2012:0086-01, RHSA-2012:0109-01, RHSA-2012:0168-01, RHSA-2012:1306-01, RHSA-2012:1307-01, RHSA-2012:1308-01, SOL15388, SOL15389, SOL15395, SOL15461, SSRT100729, SUSE-SU-2012:0084-1, SUSE-SU-2014:0320-1, VIGILANCE-VUL-11257, VMSA-2012-0005.2, VMSA-2012-0012.1, VMSA-2012-0012.2, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2013-0003.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

The DTLS (Datagram Transport Layer Security) protocol, based on TLS, provides a cryptographic layer over the UDP protocol. In CBC mode, an attacker can measure time difference of decryption computation, in order to retrieve the clear text (VIGILANCE-VUL-11262). [severity:1/4; CERTA-2012-AVI-006, CERTA-2012-AVI-171, CVE-2011-4108]

When the X509_V_FLAG_POLICY_CHECK is set on OpenSSL 0.9.8, an attacker can generate a double memory free, which may lead to code execution. Apache httpd does not use this flag. [severity:3/4; CVE-2011-4109]

When SSL 3.0 is used, each message can contain up to 15 bytes which are not reset before being sent. This occurs when a message is larger than the previous message, and in practice these data come from the handshake and are not sensitive. [severity:2/4; CVE-2011-4576]

When OpenSSL is configured with "enable-rfc3779", a certificate containing malformed RFC 3779 data (X.509 Extensions for IP Addresses and AS Identifiers) generates an assertion error, which stops the application. [severity:2/4; CVE-2011-4577]

The SGC (Server Gated Cryptography) technology processes weak algorithms/keys, and it is considered as obsolete. An attacker can use the handshake restart feature of SGC, in order to create a denial of service. [severity:2/4; CVE-2011-4619]

When GOST ENGINE (GOST algorithms defined in draft-chudov-cryptopro-cptls-04) are enabled, an attacker can send invalid parameters, in order to stop the TLS server. [severity:2/4; CVE-2012-0027]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 10111

Juniper Secure Access: several vulnerabilities

Synthesis of the vulnerability

An attacker can call scripts or create Cross Site Scripting in Juniper Secure Access.
Impacted products: IVE OS, Juniper SA.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 08/11/2010.
Identifiers: VIGILANCE-VUL-10111.

Description of the vulnerability

Several vulnerabilities were announced in Juniper Secure Access.

An attacker can use the "/dana-na/download/?url=" url, in order to call other scripts of the server without authentication. [severity:2/4]

An attacker can generate several Cross Site Scripting. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-2631

Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Impacted products: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 09/12/2009.
Identifiers: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about NetScreen IVE: