[j-nsp] SA SSL VPN vulnerable to Heartbleed?
Dave Funk
dbfunk at engineering.uiowa.edu
Thu Apr 10 13:56:14 EDT 2014
> Date: Thu, 10 Apr 2014 00:21:13 +0200
> From: Vincent Clement <vclement.mail at gmail.com>
> To: Morgan McLean <wrx230 at gmail.com>
> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
> Message-ID:
> <CAH1VrDYM8moOteD26Aq8wd9+sLM1u6KXb14p6SGZYNqO8VFPmA at mail.gmail.com>
>
> Hello,
> Anyone here to confirm me how it works?
> I mean, i've looked after some heartbleed description, and i'm not sure
> when the issue can occurs:
> If i have certificate authentication on MAG, is this still vulnerable, or
> the attacker can't even start the SSL connection and go to the step where
> heartbeat occurs to have access to the issue?
> In the SSL/TLS process, I think the SSL session starts with the MAG server
> certificate sent to client, then ask for customer one. Is this sufficient
> to "launch" heartbleed for an attacker?
>
> Thanks,
> Vincent
>
>
> 2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx230 at gmail.com>:
>
>> Just refer to their doc, our MAGs are vulnerable. All depends on the
>> software.
>>
>> Thanks,
>> Morgan
I don't know the answer to your question but you can find out empirically
by using one of the online SSL testers on your MAG. The testers actually try to
exercise the flaw (send a heartbeat request asking for more than they should
be allowed to get) and if they succeed then you're at risk.
A good one is: https://www.ssllabs.com/ssltest/
I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper engineers who
worked thru the night to create that release).
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the juniper-nsp
mailing list