Reset Search
 

 

Article

JSA10591 - 2013-09 Security Bulletin: Pulse Connect Secure and Pulse Policy Secure: Multiple OpenSSL vulnerabilities

« Go Back

Information

 
Product AffectedSA700, SA2500, FIPS SA4000, SA4500, FIPS SA4500, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, MAG6611, IC4000, IC4500, IC6000, IC6500, and FIPS IC6500
Problem
Multiple OpenSSL vulnerabilities have been found in the PCS and PPS devices.
 
CVEIssueCVE DescriptionCVSS Score
CVE-2012-2131OpenSSL buffer overflow issue

Multiple integer signedness errors in OpenSSL allow remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.

7.5(AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2013-0169Lucky Thirteen SSL issue

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

2.6(AV:N/AC:H/Au:N/C:P/I:N/A:N)

CVE-2013-0166OpenSSL OCSP DoS issue

OpenSSL does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.

5.0(AV:N/AC:L/Au:N/C:N/I:N/A:P)

Solution
Software updates to PCS and PPS have been released to resolve this issue. Releases containing the fix include PCS 7.4r3, 7.3r6, 7.2r11, 7.1r15 , and PPS 4.4r3, 4.3r6, 4.2r5.1, and 4.1r8.1.
Workaround
There are no workarounds for the issues contained in this JSA. The only way to correct these vulnerabilities is to upgrade to software that contains a fix.
Implementation
Related Links
CVSS Score7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) (A CVSS score of 7.5 was the highest score of the collection of fixed OpenSSL issues in this advisory, thus its score was chosen as the advisory's CVSS score.)
Risk Assessment
Acknowledgements
Alert Type 
Risk LevelHigh
Attachment 1 
Attachment 2 
Legacy IDJSA10591

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255