-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bulletin PSN-2005-11-007 Title: IKE version 1 vulnerability issues resulting from OUSPG ISAKMP Test Suite (NISCC/ISAKMP/273756) Date: 2005-11-14 Revision: 7 Products Affected: All Juniper Networks M/T/J/E-series routers; NetScreen firewalls running ScreenOS software. Platforms Affected: Various JUNOS, JUNOSe and ScreenOS based products - ---------------------------------------------------------------------- PSN Issue : The University of Oulu Security Programming Group (OUSPG) has developed an ISAKMP Test Suite for IKE version 1 Phase 1, a key component of the IPSec encryption and security protocol. The IKE protocol implementation in JUNOS, JUNOSe, ScreenOS and Netscreen Remote software is vulnerable to certain test cases in the test suite provided by OUSPG. For more details about this vulnerability, see the NISCC website link in the Related Links section of this bulletin. - ---------------------------------------------------------------------- Solution: Changes have been made in the JUNOSe, JUNOS, ScreenOS and Netscreen Retmote software that resolve the potential vulnerability exposed by the OUSPG ISAKMP/IKE test suite. In addition, Juniper Networks agrees with the mitigation recommendations in the NISCC advisory. Solution Implementation: Please refer to the full text of PSN-2005-11-007 via the Security Alert Notifications link at the top of the Security Center web page. - ---------------------------------------------------------------------- The following currently available ScreenOS software (used on Netscreen firewall and VPN products) releases contain modified code that provides fixes for the IKE security protocol: 4.0.0r13a for the 100 4.0.3r9a.0 for 5xp, 5xt, 25, 50, 200, 500, 5200-8G 5.0.0r10a for the ISG-1000 and ISG-2000 5.0.0r11.0 for 5xp, 5xt, 25, 50, 204, 208, 500, 5200/5400-M1 using 8g or 24FE 5.0.0r11.1 for 5gt, 5gt-WLAN, 5gt-ADSL 5.0.0-M2.r9a for the 5200-M2/5400-M2 using 8G or 24FE line cards 5.1.0r4b.0 for 5xt, 5gt, 50, 200, 500, 5000 (doesn't cover ns5xp) 5.2.0r3 for 5xt, 5gt, 5gt-ADSL, 25, 50, 204, 208, 500, ISG-2000, 5200/5400-M1, 5200/5400-M2 ScreenOS versions not specifically listed are under investigation. NetScreen-Remote 8.7 VPN client contains modified code that provides fixes for the IKE security protocol. The following JUNOSe software (used on E-series routers) releases contain modified code that provides fixes for the IKE security protocol: 5-2-4p0-8, 5-2-5, 5-3-4p0-5, 6-0-2p0-5, 6-0-3, 6-1-1p0-7, 6-1-2, 7-0-0p0-1, 7-0-1, 7-1-0. All JUNOS software (for M/T/J-series routers) for Releases 6.4 and later releases built on or after July 28, 2005 contains modified code that provides fixes for the IKE security protocol. - ---------------------------------------------------------------------- Disclaimer: Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of noninfringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time. - ---------------------------------------------------------------------- Related Links: NISCC Vulnerability Advisory: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en Juniper Networks PSN: http://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2005-11-007 - ---------------------------------------------------------------------- Copyright (c) 1998-2006, Juniper Networks, Inc. All Rights Reserved -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.6 (Build 6060) iQA/AwUBRHZLtQJw4nLp1sbREQKPvQCeN61SYHKmGnj3cggkmyXm8iIOre0An1F6 9W6esvnB/BKKib/gae/AdkDI =thNE -----END PGP SIGNATURE-----