Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2228
2024-04 Security Bulletin: Junos OS and Junos OS Evolved: Multiple cURL
vulnerabilities resolved.
11 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Junos OS Evolved
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8286 CVE-2020-8285 CVE-2020-8284
CVE-2018-1000122 CVE-2018-1000120 CVE-2023-23915
CVE-2023-23914 CVE-2023-38546 CVE-2023-38545
Original Bulletin:
https://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved
Comment: CVSS (Max): 9.8 CVE-2023-38545 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Juniper Networks
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA79108
Product Affected: These issues affect all versions of Junos OS before
23.4R1-S1, 23.4R2. These issues affect all versions of Junos OS Evolved before
21.4R3-S4-EVO, 22.1-EVO, 22.3-EVO, 22.4-EVO.
Severity Level: Critical
CVSS Score: 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Problem:
Multiple vulnerabilities have been resolved in Juniper Networks Junos OS and
Junos OS Evolved by updating cURL libraries.
These issues affect:
Junos OS:
o All versions before 23.4R1-S1, 23.4R2
Junos OS Evolved:
o All versions before 21.4R3-S4-EVO,
o From 22.1-EVO before 22.1R3-S4-EVO,
o From 22.3-EVO before 22.3R3-S1-EVO,
o From 22.4-EVO before 22.4R2-S1-EVO.
Important security issues resolved include:
+----------------+---------+--------------------------------------------------+
| CVE | CVSS | Summary |
+----------------+---------+--------------------------------------------------+
| | |This flaw makes curl overflow a heap based buffer |
| | |in the SOCKS5 proxy handshake. When curl is asked |
| | |to pass along the host name to the SOCKS5 proxy to|
| | |allow that to resolve the address instead of it |
| | |getting done by curl itself, the maximum length |
| |9.8 ( |that host name can be is 255 bytes. If the host |
| |CVSS:3.1/|name is detected to be longer, curl switches to |
| |AV:N/AC:L|local name resolving and instead passes on the |
|CVE-2023-38545 |/PR:N/ |resolved address only. Due to this bug, the local |
| |UI:N/S:U/|variable that means "let the host resolve the |
| |C:H/I:H/ |name" could get the wrong value during a slow |
| |A:H ) |SOCKS5 handshake, and contrary to the intention, |
| | |copy the too long host name to the target buffer |
| | |instead of copying just the resolved address |
| | |there. The target buffer being a heap based |
| | |buffer, and the host name coming from the URL that|
| | |curl has been told to operate with. |
+----------------+---------+--------------------------------------------------+
| | |This flaw allows an attacker to insert cookies at |
| | |will into a running program using libcurl, if the |
| | |specific series of conditions are met. libcurl |
| | |performs transfers. In its API, an application |
| | |creates "easy handles" that are the individual |
| | |handles for single transfers. libcurl provides a |
| | |function call that duplicates en easy handle |
| |3.7 ( |called [curl_easy_duphandle](https://curl.se/ |
| |CVSS:3.1/|libcurl/c/curl_easy_duphandle.html). If a transfer|
| |AV:N/AC:H|has cookies enabled when the handle is duplicated,|
|CVE-2023-38546 |/PR:N/ |the cookie-enable state is also cloned - but |
| |UI:N/S:U/|without cloning the actual cookies. If the source |
| |C:N/I:L/ |handle did not read any cookies from a specific |
| |A:N ) |file on disk, the cloned version of the handle |
| | |would instead store the file name as `none` (using|
| | |the four ASCII letters, no quotes). Subsequent use|
| | |of the cloned handle that does not explicitly set |
| | |a source to load cookies from would then |
| | |inadvertently load cookies from a file named `none|
| | |` - if such a file exists and is readable in the |
| | |current directory of the program using libcurl. |
| | |And if using the correct file format of course. |
+----------------+---------+--------------------------------------------------+
| | |A cleartext transmission of sensitive information |
| | |vulnerability exists in curl <v7.88.0 that could |
| |9.1 ( |cause HSTS functionality fail when multiple URLs |
| |CVSS:3.1/|are requested serially. Using its HSTS support, |
| |AV:N/AC:L|curl can be instructed to use HTTPS instead of |
|CVE-2023-23914 |/PR:N/ |usingan insecure clear-text HTTP step even when |
| |UI:N/S:U/|HTTP is provided in the URL. ThisHSTS mechanism |
| |C:H/I:H/ |would however surprisingly be ignored by |
| |A:N ) |subsequent transferswhen done on the same command |
| | |line because the state would not be |
| | |properlycarried on. |
+----------------+---------+--------------------------------------------------+
| | |A cleartext transmission of sensitive information |
| | |vulnerability exists in curl <v7.88.0 that could |
| | |cause HSTS functionality to behave incorrectly |
| |6.5 ( |when multiple URLs are requested in parallel. |
| |CVSS:3.1/|Using its HSTS support, curl can be instructed to |
| |AV:N/AC:L|use HTTPS instead of using an insecure clear-text |
|CVE-2023-23915 |/PR:N/ |HTTP step even when HTTP is provided in the URL. |
| |UI:N/S:U/|This HSTS mechanism would however surprisingly |
| |C:L/I:L/ |fail when multiple transfers are done in parallel |
| |A:N ) |as the HSTS cache file gets overwritten by the |
| | |most recentlycompleted transfer. A later HTTP-only|
| | |transfer to the earlier host name would then *not*|
| | |get upgraded properly to HSTS. |
+----------------+---------+--------------------------------------------------+
| |3.7 ( |A malicious server can use the FTP PASV response |
| |CVSS:3.1/|to trick curl 7.73.0 and earlier into connecting |
| |AV:N/AC:H|back to a given IP address and port, and this way |
|CVE-2020-8284 |/PR:N/ |potentially make curl extract information about |
| |UI:N/S:U/|services that are otherwise private and not |
| |C:L/I:N/ |disclosed, for example doing port scanning and |
| |A:N ) |service banner extractions. |
+----------------+---------+--------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1/| |
| |AV:N/AC:L|curl 7.21.0 to and including 7.73.0 is vulnerable |
|CVE-2020-8285 |/PR:N/ |to uncontrolled recursion due to a stack overflow |
| |UI:N/S:U/|issue in FTP wildcard match parsing. |
| |C:N/I:N/ | |
| |A:H ) | |
+----------------+---------+--------------------------------------------------+
| |7.5 ( | |
| |CVSS:3.1/| |
| |AV:N/AC:L|curl 7.41.0 through 7.73.0 is vulnerable to an |
|CVE-2020-8286 |/PR:N/ |improper check for certificate revocation due to |
| |UI:N/S:U/|insufficient verification of the OCSP response. |
| |C:N/I:H/ | |
| |A:N ) | |
+----------------+---------+--------------------------------------------------+
| |9.8 ( | |
| |CVSS:3.0/|A buffer overflow exists in curl 7.12.3 to and |
| |AV:N/AC:L|including curl 7.58.0 in the FTP URL handling that|
|CVE-2018-1000120|/PR:N/ |allows an attacker to cause a denial of service or|
| |UI:N/S:U/|worse. |
| |C:H/I:H/ | |
| |A:H ) | |
+----------------+---------+--------------------------------------------------+
| |9.1 ( | |
| |CVSS:3.0/|A buffer over-read exists in curl 7.20.0 to and |
| |AV:N/AC:L|including curl 7.58.0 in the RTSP+RTP handling |
|CVE-2018-1000122|/PR:N/ |code that allows an attacker to cause a denial of |
| |UI:N/S:U/|service or information leakage |
| |C:H/I:N/ | |
| |A:H ) | |
+----------------+---------+--------------------------------------------------+
Solution:
The following software releases have been updated to resolve these specific
issues:
Junos OS: 23.4R1-S1, 23.4R2, 24.1R1, and subsequent releases.
Note for Junos OS: For CVE-2018-1000120 and CVE-2018-1000122 see JSA10874 .
These CVEs are already resolved in earlier releases of Junos OS, they are
included in this advisory for Junos OS Evolved only.
Junos OS Evolved: 21.4R3-S4-EVO, 22.1R3-S4-EVO, 22.3R3-S1-EVO, 22.4R2-S1-EVO,
23.2R1-EVO, and subsequent releases.
Note for Junos OS Evolved: CVE-2023-38545 and CVE-2023-38546 Junos OS Evolved
is not vulnerable to these CVEs.
These issues are being tracked as 1769149 , 1723054 , 1562153 and 1347361 which
are visible on the Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for these issues.
Modification History:
o 2024-04-10 - Initial Publication
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
Last Updated: 2024-04-10
Created: 2024-04-10
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================