ESB-2017.1737 - [Juniper] Junos: Multiple vulnerabilities 2017-07-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1737
                   2017-07 Security Bulletin: Junos OS:
                               13 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Root Compromise                 -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10605 CVE-2017-10604 CVE-2017-10603
                   CVE-2017-10602 CVE-2017-6738 CVE-2017-6737
                   CVE-2017-6736 CVE-2017-2345 CVE-2017-2344
                   CVE-2017-2341 CVE-2017-2314 CVE-2014-9425
                   CVE-2013-6420 CVE-2013-4113 CVE-2012-3365

Reference:         ASB-2012.0105
                   ESB-2017.1644
                   ESB-2015.1818
                   ESB-2014.1429
                   ESB-2013.1784
                   ESB-2013.0972

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10804
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10805
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10803
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792

Comment: This bulletin contains nine (9) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch 
failures occur if the root user account is locked out (CVE-2017-10604)

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX
series.

PROBLEM:

When the device is configured to perform account lockout with a defined period
of time, any unauthenticated user attempting to log in as root with an 
incorrect password can trigger a lockout of the root account. When an SRX 
Series device is in cluster mode, and a cluster sync or failover operation 
occurs, then there will be errors associated with synch or failover while the
root account is locked out.

Administrators can confirm if the root account is locked out via the following
command

root@device> show system login lockout user root

User Lockout start Lockout end

root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT

This issue only affects devices configured to perform account lockout with a 
defined period of time; e.g.:

set system services ssh root-login deny

set system login retry-options tries-before-disconnect 5

set system login retry-options minimum-time 30

set system login retry-options lockout-period 30

The root lockout feature is working as expected. It is only a problem when an
SRX Series device is in a cluster configuration mode.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10604.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 12.1X46-D65, 12.3X48-D45, 15.1X49-D75, and all subsequent releases.

NOTE: Future SRX-Series releases above 15.1X49 Top of Tree from Junos OS 
17.2R1 onward have been proactively resolved.

This issue is being tracked as PR 1222250 and is visible on the Customer 
Support website.

WORKAROUND:

The lockout feature does not impact console access for the root account. 
Administrators may login via console, and block the offending incoming traffic
which is causing the root account from being locked out via SSH connection 
attempts to restore cluster sync services from erroring or failing.

Administrators may block the offending SSH traffic from an upstream device.

Use access lists or firewall filters to limit access to the device only from 
trusted administrative hosts, networks and users.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos OS: J-Web: Multiple Vulnerabilities in PHP 
software

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46, 12.1X47, 12.3, 12.3X48, 14.2, 15.1, 
15.1X49.

PROBLEM:

PHP software included with Junos OS J-Web is updated to resolve the following
issues:

CVE CVSS v2 base score Summary

CVE-2013-6420 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The asn1_time_to_time_t 
function in ext/openssl/openssl.c in PHP does not properly parse (1) notBefore
and (2) notAfter timestamps in X.509 certificates, which allows remote 
attackers to execute arbitrary code or cause a denial of service (memory 
corruption) via a crafted certificate that is not properly handled by the 
openssl_x509_parse function.

CVE-2014-9425 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Double free vulnerability in 
the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend 
Engine in PHP allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors.

CVE-2013-4113 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) ext/xml/xml.c in PHP does not 
properly consider parsing depth, which allows remote attackers to cause a 
denial of service (heap memory corruption) or possibly have unspecified other
impact via a crafted document that is processed by the xml_parse_into_struct 
function.

CVE-2012-3365 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The SQLite functionality in PHP 
allows remote attackers to bypass the open_basedir protection mechanism via 
unspecified vectors.

Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65,
12.1X47 prior to 12.1X47-D40, 12.1X47-D45; 12.3 prior to 12.3R12-S5; 12.3X48 
prior to 12.3X48-D35; 14.2 prior to 14.2R8; 15.1 prior to 15.1R4; 15.1X49 
prior to 15.1X49-D50.

These issues affect devices with J-Web enabled.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 12.1X46-D65, 12.1X47-D40, 12.1X47-D45, 12.3R12-S5, 12.3X48-D35, 14.2R8,
15.1R4, 15.1X49-D50, 16.1R1, 16.1R1, 16.1R2, and all subsequent releases.

This issue is being tracked as PR 1157572 and is visible on the Customer 
Support website.

WORKAROUND:

Methods which may reduce, but not eliminate, the risk for exploitation of this
problem, and which does not mitigate or resolve the underlying problem 
include:

o Using access lists or firewall filters to limit access to the device only 
from trusted hosts.

o Disabling J-Web

o Limit access to J-Web from only trusted networks

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos OS: Local XML Injection through CLI command 
can lead to privilege escalation (CVE-2017-10603)

PRODUCT AFFECTED:

This issue affects Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47; 
15.1 prior to 15.1R3.

PROBLEM:

An XML injection vulnerability in Junos OS CLI can allow a locally 
authenticated user to elevate privileges and run arbitrary commands as the 
root user.

This issue was found during internal product security testing.

Affected releases are Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47,
15.1 prior to 15.1R3.

Junos versions prior to 15.1 are not affected. No other Juniper Networks 
products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10603.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 15.1X53-D47, 15.1R3, and all subsequent releases.

This issue is being tracked as PR 1091037 and is visible on the Customer 
Support website.

WORKAROUND:

There is no direct workaround to completely eliminate the risk of this 
vulnerability.

Use access lists or firewall filters to limit access to the router's CLI only
from trusted hosts. Restrict access to the CLI to only highly trusted 
administrators.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos OS: buffer overflow vulnerability in Junos 
CLI (CVE-2017-10602)

PRODUCT AFFECTED:

This issue affects Junos OS 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53.

PROBLEM:

A buffer overflow vulnerability in Junos OS CLI may allow a local 
authenticated user with read only privileges and access to Junos CLI, to 
execute code with root privileges.

Affected releases are Juniper Networks Junos OS 14.1X53; 14.2 prior to 14.2R6;
15.1 prior to 15.1F5, 15.1F6, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 
prior to 15.1X53-D47, 15.1X53-D70.

This issue does not affect Junos 14.1 or prior releases.

No other Juniper Networks products or platforms are affected by this issue.

This issue was found during internal product security testing. Juniper SIRT is
not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10602.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 14.2R6, 15.1F5, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D47, 15.1X53-D70,
16.1R1, and all subsequent releases.

This issue is being tracked as PR 1149652 and is visible on the Customer 
Support website.

WORKAROUND:

Use access lists or firewall filters to limit access to the router's CLI only
from trusted hosts. Restrict access to the CLI to only highly trusted 
administrators.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms
with Junos OS running in a virtualized environment. (CVE-2017-2341)

PRODUCT AFFECTED:

This issue affects Junos OS 14.1X53, 15.1, 15.1X49, 16.1. Affected platforms:
QFX5110, QFX5200, QFX10002, QFX10008, QFX10016, EX4600 and NFX250, EX4600, 
vSRX, SRX1500, SRX4100, SRX4200, ACX5000 series.

PROBLEM:

An insufficient authentication vulnerability on platforms where Junos OS 
instances are run in a virtualized environment, may allow unprivileged users 
on the Junos OS instance to gain access to the host operating environment, and
thus escalate privileges.

This issue only affects products or platforms where Junos OS instances are run
in a virtualized environment, namely vSRX, SRX1500, SRX4100, SRX4200, QFX5110,
QFX5200, QFX10002, QFX10008, QFX10016, ACX5000, EX4600 and NFX250 devices.

This issue does not affect Junos OS where FIPS mode is enabled.

This issue does not affect vMX.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2017-2341.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 14.1X53-D40, 15.1R5, 15.1X49-D70, 16.1R2 and all subsequent 
releases.

This issue is being tracked as PR 1161762 and is visible on the Customer 
Support website.

WORKAROUND:

Running Junos OS in FIPS mode eliminates this vulnerability.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial release.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message
(CVE-2017-2314)

PRODUCT AFFECTED:

This issue can affect any product or platform running Junos OS with BGP 
enabled.

PROBLEM:

Receipt of a malformed BGP OPEN message may cause the routing protocol daemon
(rpd) process to crash and restart. By continuously sending specially crafted
BGP OPEN message packets, an attacker can repetitively crash the rpd process 
causing prolonged denial of service.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, this issue has been seen in a production network due to the BGP 
implementation in different vendor's device.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2017-2314.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos 12.3R12-S4, 12.3R13, 12.3R3-S4, 12.3X48-D50, 13.3R10, 13.3R4-S11,
14.1R8-S3, 14.1R9, 14.1X53-D40, 14.1X55-D35, 14.2R4-S7, 14.2R6-S4, 14.2R7, 
15.1F2-S11, 15.1F4-S1-J1, 15.1F5-S3, 15.1F6, 15.1R4, 15.1X49-D100, 
15.1X53-D33, 15.1X53-D50, 16.1R1, 16.2R1 and all subsequent releases.

This issue is being tracked as PR 1159781 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

While there is no workaround, the risk associated with this issue can be 
mitigated by limiting BGP sessions only from trusted peers.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2017-2314: RPD crash due to malformed BGP OPEN message

CVSS SCORE:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of 
crafted SNMP packet (CVE-2017-2345)

PRODUCT AFFECTED:

This issue affects Juniper Networks Junos OS 10.2 and above on all products 
and platforms.

PROBLEM:

On Junos OS devices with SNMP enabled, a network based attacker with 
unfiltered access to the RE can cause the Junos OS snmpd daemon to crash and 
restart by sending a crafted SNMP packet. Repeated crashes of the snmpd daemon
can result in a partial denial of service condition. Additionally, it may be 
possible to craft a malicious SNMP packet in a way that can result in remote 
code execution.

SNMP is disabled in Junos OS by default. Junos OS devices with SNMP disabled 
are not affected by this issue.

No other Juniper Networks products or platforms are affected by this 
issue.Juniper SIRT is not aware of any malicious exploitation of this 
vulnerability.

This issue has been assigned CVE-2017-2345.

NOTE: This is a different issue than Cisco CVE-2017-6736, CVE-2017-6737, and 
CVE-2017-6738.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10,
14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D44, 14.1X53-D50, 14.2R7-S7, 14.2R8,
15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100,
15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70,
16.1R3-S4, 16.1R4-S3, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1, 17.2R2, 
17.3R1, and all subsequent releases.

This issue is being tracked as PR 1282772 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Disable SNMP (disabled by default), utilize edge filtering with source-address
validation (uRPF, etc.), SNMP access lists, and/or SNMPv3 authentication to 
limit access to the device only from trusted hosts.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2017-2345: snmpd denial of service upon receipt of crafted SNMP packet

CVSS SCORE:

9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL:

Critical

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability 
in flowd due to crafted DHCP packet (CVE-2017-10605)

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: 
vSRX or SRX Series with DHCP or DHCP relay configured.

PROBLEM:

On all vSRX and SRX Series devices, when the DHCP or DHCP relay is configured,
specially crafted packet might cause the flowd process to crash, halting or 
interrupting traffic from flowing through the device(s).

Repeated crashes of the flowd process may constitute an extended denial of 
service condition for the device(s).

If the device is configured in high-availability, the RG1+ (data-plane) will 
fail-over to the secondary node.

If the device is configured in stand-alone, there will be temporary traffic 
interruption until the flowd process is restored automatically.

Sustained crafted packets may cause the secondary failover node to fail back,
or fail completely, potentially halting flowd on both nodes of the cluster or
causing flip-flop failovers to occur.

No other Juniper Networks products or platforms are affected by this issue.

This issue only affects devices with DHCP or DHCP relay is configured.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, the issue has been seen in a production network.

This issue has been assigned CVE-2017-10605.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1x46-D67, 12.3X48-D55, 15.1X49-D91, 15.1X49-D100 and all 
subsequent releases.

This issue is being tracked as PR 1270493 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

No published workaround exists for this issue.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2017-2314: RPD crash due to malformed BGP OPEN message

CVSS SCORE:

8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ----------

2017-07 Security Bulletin: Junos: Buffer overflow in sockets library 
(CVE-2017-2344)

PRODUCT AFFECTED:

This issue affects Juniper Networks Junos OS on all products and platforms.

PROBLEM:

A routine within an internal Junos OS sockets library is vulnerable to a 
buffer overflow. Malicious exploitation of this issue may lead to a denial of
service (kernel panic) or be leveraged as a privilege escalation through local
code execution. The routines are only accessible via programs running on the 
device itself, and veriexec restricts arbitrary programs from running on Junos
OS. There are no known exploit vectors utilizing signed binaries shipped with
Junos OS itself.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-2344.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10,
14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D45, 14.1X53-D50, 14.2R7-S7, 14.2R8,
15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100,
15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70,
16.1R3-S4, 16.1R4-S3, 16.1R4-S4, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1,
17.2R2, 17.3R1, and all subsequent releases.

This issue is being tracked as PR 1282562 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Limit access to the Junos CLI only from trusted hosts and administrators.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-07-12: Initial Publication

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2017-2344: Junos buffer overflow in sockets library

CVSS SCORE:

7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWWbm3Ix+lLeg9Ub1AQgWgw/+NegbGrVWRHSLNQAoLw99rH9noCgKtAV8
vg+SEobd71oeWprF+sXbsmEHHM2eEDekceZPRWKdfoR6WVSimrhOgoMTrfnId9oa
EPNnmAFEcwyEXVaxbK+UyKESckLjg/lBPU94h1k8dHBFG0QpDltuuJomLpnMEFiT
10V9XLP7FPsaWfgYZKi5pQ1pVVs5eWK3NlfzpJ1LHlNPqgzCKrB9hy7MkCZax6Wu
tYI2v5o1EH0ViSJrqG2uS7ft0CPzs2CNH37IJ8HYHIGPbRfxRNBYZ4T9T1BGB7U9
T09+AZnYqoZJHwbAQ144ujIfK+00I/3fdlZFor6vNdvljQgCbrPFzeg+bqZQ9zss
AQodXNeIs7HRWJQi9h4rIfV1SCRPWiGsNYY4MmUrYgQTgfcFW//em9lmBJGEmEzd
QLllpn25qUO2sS6mvl42WPFZAKO3g5lkcFJe39D4Oc/DKFfgIdjD2uDt54mL3EhL
6vsj8Mwo87EzoHPjt0t789cScTlFoYGjVY6RvCCAeIgfBxbaYalouL93U8sxljEz
vM5sQi4PmknTreXQbR6irDfiE0H4H54P8B8esknkXtQusH/aHMZmFrXtcyMn8ctF
HbbVPLv74wcSkEgwsh4KPtHoGFL7CiwQmAKdS0Ek++zZ4fU+OD/1gVmtg4wEEAM0
898QHcPlok8=
=6cbp
-----END PGP SIGNATURE-----

« Back to bulletins