SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Pulse Connect Secure (formerly Juniper Pulse Secure) Vendors:   Juniper
(Juniper Issues Fix for IVE) OpenSSL SSL_OP_MSIE_SSLV2_RSA_PADDING Option May Let Remote Users Rollback the Protocol Version
SecurityTracker Alert ID:  1015400
SecurityTracker URL:  http://securitytracker.com/id/1015400
CVE Reference:   CVE-2005-2969   (Links to External Site)
Date:  Dec 22 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): IVE versions up to and including 4.2R6, 5.0R5 and 5.1R3
Description:   A vulnerability was reported in OpenSSL. A remote user may be able to cause a target client and server to rollback to a weaker cryptographic protocol in certain cases. Juniper (Netscreen) IVE is affected.

The SSL_OP_MSIE_SSLV2_RSA_PADDING option (or SSL_OP_ALL option) disables a verification step in the SSL 2.0 server that would otherwise prevent active protocol-version rollback attacks.

A remote user can conduct a "man in the middle" attack to force a client and a server to negotiate the SSL 2.0 protocol instead of SSL 3.0 or TLS 1.0. The SSL 2.0 protocol is a cryptographically weak protocol.

Applications that use the OpenSSL SSL/TLS server implementation may be affected.

Applications that do not use SSL_OP_MSIE_SSLV2_RSA_PADDING and SSL_OP_ALL are not affected. Applications that disable the use of SSL 2.0 are also not affected.

The vendor credits Yutaka Oiwa of the Research Center for Information Security, National Institute of Advanced Industrial Science and Technology (AIST), Japan, with reporting this vulnerability.

Impact:   A remote user with the ability to conduct a man-in-the-middle attack can cause a client and server to use the weaker SSL 2.0 protocol.
Solution:   Juniper has issued a fix for Netscreen IVE, which is affected by this OpenSSL vulnerability. The following fixed versions are available:

* 4.2R7
* 5.0R6
* 5.1R4

The fix disables SSL 2.0 compatibility and may break compatibility with IE 3.02 and prior versions.

The Juniper advisory is available at:

http://www.juniper.net/support/security/alerts/PSN-2005-12-025.txt

Vendor URL:  www.juniper.net/support/security/alerts/PSN-2005-12-025.txt (Links to External Site)
Cause:   Authentication error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Oct 11 2005 OpenSSL SSL_OP_MSIE_SSLV2_RSA_PADDING Option May Let Remote Users Rollback the Protocol Version



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC