Juniper Junos OpenSSL Heartbeat Information Disclosure (JSA10623) (Heartbleed)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote device is missing a vendor-supplied security patch.

Description :

According to its self-reported version number, the remote Junos device
is affected by an information disclosure vulnerability. An
out-of-bounds read error, known as Heartbleed, exists in the TLS/DTLS
implementation due to improper handling of TLS heartbeat extension
packets. A remote attacker, using crafted packets, can trigger a
buffer over-read, resulting in the disclosure of up to 64KB of process
memory, which contains sensitive information such as primary key
material, secondary key material, and other protected content.

Note that this issue only affects devices with J-Web or the SSL
service for JUNOScript enabled.

See also :

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10623
http://www.heartbleed.com
https://eprint.iacr.org/2014/140
https://www.openssl.org/news/vulnerabilities.html#2014-0160
https://www.openssl.org/news/secadv/20140407.txt

Solution :

Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10623.

Risk factor :

High / CVSS Base Score : 9.4
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
CVSS Temporal Score : 8.2
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Junos Local Security Checks

Nessus Plugin ID: 73687 ()

Bugtraq ID: 66690

CVE ID: CVE-2014-0160

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now