Vigil@nce - JUNOS: weak SSL algorithms of J-Web
January 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
The SSL server of JUNOS J-Web accepts algorithms using keys of
size inferior to 128 bits.
Severity: 1/4
Creation date: 13/01/2011
IMPACTED PRODUCTS
– Juniper J Series
– Juniper JUNOS
DESCRIPTION OF THE VULNERABILITY
When a SSL session is initialized, the client and the server
negotiate cryptography algorithms to use.
Some old algorithms use small key sizes (RC4 40 bit, RC4 56 bit).
The SSL server of JUNOS J-Web still accepts algorithms using keys
of size inferior to 128 bit.
An attacker can therefore be located as a Man-in-the-middle, in
order to force the negotiation of a weak algorithm, so he can
decrypt the SSL session.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/JUNOS-weak-SSL-algorithms-of-J-Web-10272