SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Failed PCI Scan - SSLv3 enable on Dynamic VPN

    Posted 03-16-2015 11:13

    Failing my PCI scan  because I use dynamic vpn. Is there an upcoming fix to this?

     

    The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.



  • 2.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN

    Posted 03-16-2015 17:41

    Junos releases updated for the Poodle fix are listed here.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656

     

    You will just need to upgrade to the appropriate version for your platform.



  • 3.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN

    Posted 04-10-2015 18:30

    Thanks for the Reply. I have updated Junos to 12.1X47-D20 but still keep failing the Poodle tests. Is there something I am missing in the KB? Thanks again for your help on this.



  • 4.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN
    Best Answer

     
    Posted 04-11-2015 00:44

    have you tried below ? Keep in mind that the change will not survive a reboot

     

    1. From the root shell:
    root@junos% vi /jail/var/etc/httpd.conf

    Change the default config of "SSLProtocol ALL -SSLV2" to "SSLProtocol TLSv1"

    2. Find the process ID (pid) of httpd and kill/restart it:
    root@junos% ps auxw | grep httpd
    root@junos% kill -9 (pid of httpd) OR kill -HUP (pid of httpd)

    *Note: This change will not survive reboots.  Additionally, executing the 'restart web-management' CLI command will restart the httpd-gk process which will regenerate the default httpd.conf file, overwriting manual changes. Refer to KB18162 for more information about this workaround.



  • 5.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN

    Posted 04-16-2015 09:29

    Thanks. I called support on this and their response was basically the vulnerability is fixed, however, the PCI scanner just looks for SSLv3. Even though SSLv3 is remediated the scanner does not see that as the case.

     

    I was told not until v13 is out will sllv3 be disabled. 

     

    We had to go with the workaround. 

     

    It seems that it is a tremendous pain to change anything in the shell. Do you have any instructions or a command list for shell command? I can't seem to find much documentation on it.

     

    thanks again for your help on this.

     

     



  • 6.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN

     
    Posted 04-16-2015 11:39

    HI Rick,

     

    to drop to the unix shell you first need to set a root password on the system:

     

    set system root-authentication

     

    when you are in operational mode you run the following command

     

    start shell

     

    Now you drop to the unix shell (leave the cli)

    in the unix shell run the following command

     

    su -

     

    type in your root password and you are root on the system. When you have done this you can edit the httpd.conf and make your changes as mentioned in my earlier post

     

     

     

     

     

     



  • 7.  RE: Failed PCI Scan - SSLv3 enable on Dynamic VPN

    Posted 04-11-2015 04:09

    I would open a JTAC case.  This is clearly suppose to be a supported version for the POODLE fix and is failing a scan test.

     

    The other possiblility is that the scan is a false positive.  Once JTAC confirms that the fix is in place and the details on what is done in this version.  You can present this information to the auditor.

     

    Or you can give the auditor the linked kb that describes the general procedure they are using for the POODLE fix and say this is patched.