[j-nsp] SA SSL VPN vulnerable to Heartbleed?

Vincent Clement vclement.mail at gmail.com
Fri Apr 11 03:48:46 EDT 2014 

Confirm too, and I answer to myself:
Made some tests with Heartbleed python scripts:
It seems that when your realm/port require a client certificate, the SSL
process stops if you have no certificate BEFORE the heartbleed issue can be
exploited.

Still need to upgrade, but depending on your configuration you may be less
critically exposed.

Vincent


2014-04-10 19:56 GMT+02:00 Dave Funk <dbfunk at engineering.uiowa.edu>:

>
>  Date: Thu, 10 Apr 2014 00:21:13 +0200
>> From: Vincent Clement <vclement.mail at gmail.com>
>> To: Morgan McLean <wrx230 at gmail.com>
>> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
>> Message-ID:
>>         <CAH1VrDYM8moOteD26Aq8wd9+sLM1u6KXb14p6SGZYNqO8VFPmA@
>> mail.gmail.com>
>>
>>
>> Hello,
>> Anyone here to confirm me how it works?
>> I mean, i've looked after some heartbleed description, and i'm not sure
>> when the issue can occurs:
>> If i have certificate authentication on MAG, is this still vulnerable, or
>> the attacker can't even start the SSL connection and go to the step where
>> heartbeat occurs to have access to the issue?
>> In the SSL/TLS process, I think the SSL session starts with the MAG server
>> certificate sent to client, then ask for customer one. Is this sufficient
>> to "launch" heartbleed for an attacker?
>>
>> Thanks,
>> Vincent
>>
>>
>> 2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx230 at gmail.com>:
>>
>>  Just refer to their doc, our MAGs are vulnerable. All depends on the
>>> software.
>>>
>>> Thanks,
>>> Morgan
>>>
>>
> I don't know the answer to your question but you can find out empirically
> by using one of the online SSL testers on your MAG. The testers actually
> try to
> exercise the flaw (send a heartbeat request asking for more than they
> should
> be allowed to get) and if they succeed then you're at risk.
> A good one is: https://www.ssllabs.com/ssltest/
>
> I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper engineers
> who
> worked thru the night to create that release).
>
>
>
> --
> Dave Funk                                  University of Iowa
> <dbfunk (at) engineering.uiowa.edu>        College of Engineering
> 319/335-5751   FAX: 319/384-0549           1256 Seamans Center
> Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Vincent Clément
+33 6 74 49 66 30

More information about the juniper-nsp mailing list