[j-nsp] SA SSL VPN vulnerable to Heartbleed?
Vincent Clement
vclement.mail at gmail.com
Fri Apr 11 14:19:12 EDT 2014
Thanks Chris, fixed almost all the customers already, was just curious :)
2014-04-11 20:04 GMT+02:00 Chris Jones <ipv6freely at gmail.com>:
> Configuration is irrelevant.
>
>
> On Fri, Apr 11, 2014 at 12:48 AM, Vincent Clement <vclement.mail at gmail.com
> > wrote:
>
>> Confirm too, and I answer to myself:
>> Made some tests with Heartbleed python scripts:
>> It seems that when your realm/port require a client certificate, the SSL
>> process stops if you have no certificate BEFORE the heartbleed issue can
>> be
>> exploited.
>>
>> Still need to upgrade, but depending on your configuration you may be less
>> critically exposed.
>>
>> Vincent
>>
>>
>> 2014-04-10 19:56 GMT+02:00 Dave Funk <dbfunk at engineering.uiowa.edu>:
>>
>> >
>> > Date: Thu, 10 Apr 2014 00:21:13 +0200
>> >> From: Vincent Clement <vclement.mail at gmail.com>
>> >> To: Morgan McLean <wrx230 at gmail.com>
>> >> Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
>> >> Subject: Re: [j-nsp] SA SSL VPN vulnerable to Heartbleed?
>> >> Message-ID:
>> >> <CAH1VrDYM8moOteD26Aq8wd9+sLM1u6KXb14p6SGZYNqO8VFPmA@
>> >> mail.gmail.com>
>> >>
>> >>
>> >> Hello,
>> >> Anyone here to confirm me how it works?
>> >> I mean, i've looked after some heartbleed description, and i'm not sure
>> >> when the issue can occurs:
>> >> If i have certificate authentication on MAG, is this still vulnerable,
>> or
>> >> the attacker can't even start the SSL connection and go to the step
>> where
>> >> heartbeat occurs to have access to the issue?
>> >> In the SSL/TLS process, I think the SSL session starts with the MAG
>> server
>> >> certificate sent to client, then ask for customer one. Is this
>> sufficient
>> >> to "launch" heartbleed for an attacker?
>> >>
>> >> Thanks,
>> >> Vincent
>> >>
>> >>
>> >> 2014-04-09 21:25 GMT+02:00 Morgan McLean <wrx230 at gmail.com>:
>> >>
>> >> Just refer to their doc, our MAGs are vulnerable. All depends on the
>> >>> software.
>> >>>
>> >>> Thanks,
>> >>> Morgan
>> >>>
>> >>
>> > I don't know the answer to your question but you can find out
>> empirically
>> > by using one of the online SSL testers on your MAG. The testers actually
>> > try to
>> > exercise the flaw (send a heartbeat request asking for more than they
>> > should
>> > be allowed to get) and if they succeed then you're at risk.
>> > A good one is: https://www.ssllabs.com/ssltest/
>> >
>> > I can confirm that 7.4R9.1 fixed our SA4500s (thank you Juniper
>> engineers
>> > who
>> > worked thru the night to create that release).
>> >
>> >
>> >
>> > --
>> > Dave Funk University of Iowa
>> > <dbfunk (at) engineering.uiowa.edu> College of Engineering
>> > 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
>> > Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
>> > #include <std_disclaimer.h>
>> > Better is not better, 'standard' is better. B{
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>> >
>>
>>
>>
>> --
>> Vincent Clément
>> +33 6 74 49 66 30
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> Chris Jones
> JNCIE-ENT #272
> CCIE# 25655 (R&S)
>
--
Vincent Clément
+33 6 74 49 66 30
More information about the juniper-nsp
mailing list