Juniper Junos OpenSSL Heartbeat Information Disclosure (JSA10623) (Heartbleed)

2014-04-18T00:00:00
ID JUNIPER_JSA10623.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
Modified 2014-04-18T00:00:00

Description

According to its self-reported version number, the remote Junos device is affected by an information disclosure vulnerability. An out-of-bounds read error, known as Heartbleed, exists in the TLS/DTLS implementation due to improper handling of TLS heartbeat extension packets. A remote attacker, using crafted packets, can trigger a buffer over-read, resulting in the disclosure of up to 64KB of process memory, which contains sensitive information such as primary key material, secondary key material, and other protected content.

Note that this issue only affects devices with J-Web or the SSL service for JUNOScript enabled.

                                        
                                            #TRUSTED 7785cde56678ac334c1e672179f873d6fdeca129c011165be7efa047a033990b01b0626102904a2e3bf021f2ac06bdfb93d4921ecab0390fff966946553b7396b6f6d44369b6c1cbd167e9bf9b934f5c5a488245196a2f5288aaa179553a522c4ac911cc42090185516c2b594361cfa336b6b0d237af9c8960122a9ae0bcfa4ffbca2f735d415c35bbd90365237f14a289684b775d31859013c9ccea676eeff9df78713e5e9f4d2ca6434701738496658a4674c798d26cf5e6c73d2088fece0eb1f564ca8ab4cf3d562489498c6e0dccea79c5c6aa38890aabef920fde42071eed4d136f87331ffa27b9c2b6b444be2ecdd1ecfcb9e79d085a046d15e16bc1062e292b49e42238ffc51c3fc04dfbe23975cf628a48f8c758af352b8a16cb9d5e6d5f110a97a51b68d18cafe32b39d98b81433b12e8aa10cda4f42629f6fa11abd186166a07182b1f2effe0e491c3c558f883e5d14eeeddcdba3fd3186ecfa79326c2ab40a7e55619e7075ca99f32e8a34ff2ad00c60f343075b9a1e15e20075a9c8a21380cb96380841821e6cbe69720ef78f2ccdf153cf92c4edae604f4a58c5aee72912ac5e19720a9a7ae999cedd8f3718947a4c3f3aa75df8cd8e02d78c6313ce97724f9492a73b708211482051fbdf486be735bb63f79609f1cf9c94bdf838d9acba3f9d541e96c0ddba629fe0fa9637f4b066f09ba8d655bbb7de7a343
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73687);
  script_version("1.15");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/12");

  script_cve_id("CVE-2014-0160");
  script_bugtraq_id(66690);
  script_xref(name:"CERT", value:"720951");
  script_xref(name:"EDB-ID", value:"32745");
  script_xref(name:"EDB-ID", value:"32764");
  script_xref(name:"EDB-ID", value:"32791");
  script_xref(name:"EDB-ID", value:"32998");
  script_xref(name:"JSA", value:"JSA10623");

  script_name(english:"Juniper Junos OpenSSL Heartbeat Information Disclosure (JSA10623) (Heartbleed)");
  script_summary(english:"Checks the Junos version, model, and configuration.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Junos device
is affected by an information disclosure vulnerability. An
out-of-bounds read error, known as Heartbleed, exists in the TLS/DTLS
implementation due to improper handling of TLS heartbeat extension
packets. A remote attacker, using crafted packets, can trigger a
buffer over-read, resulting in the disclosure of up to 64KB of process
memory, which contains sensitive information such as primary key
material, secondary key material, and other protected content.

Note that this issue only affects devices with J-Web or the SSL
service for JUNOScript enabled.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623");
  script_set_attribute(attribute:"see_also", value:"http://www.heartbleed.com");
  script_set_attribute(attribute:"see_also", value:"https://eprint.iacr.org/2014/140");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/vulnerabilities.html#2014-0160");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20140407.txt");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10623.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/18");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/model", "Host/Juniper/JUNOS/Version");

  exit(0);
}

include("audit.inc");
include("junos_kb_cmd_func.inc");
include("misc_func.inc");

ver   = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');

if (check_model(model:model, flags:J_SERIES | SRX_SERIES, exit_on_fail:TRUE))

fixes = make_array();
fixes['13.3'] = '13.3R1.8';
fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# HTTPS or XNM-SSL must be enabled
override = TRUE;
buf = junos_command_kb_item(cmd:"show configuration | display set");
if (buf)
{
  patterns = make_list(
    "^set system services web-management https interface", # HTTPS
    "^set system services xnm-ssl" # SSL Service for JUNOScript (XNM-SSL)
  );
  foreach pattern (patterns)
  {
    if (junos_check_config(buf:buf, pattern:pattern)) override = FALSE;
  }
  if (override) audit(AUDIT_HOST_NOT,
    'affected because neither J-Web nor SSL Service for JUNOScript (XNM-SSL) are not enabled');
}

junos_report(ver:ver, fix:fix, model:model, override:override, severity:SECURITY_HOLE);