ESB-2017.2575 - [Juniper] Juniper Multiple Products: Root compromise - Existing account 2017-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2575
  2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel
                Local Privilege Escalation (CVE-2016-5195)
                              12 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Multiple Products
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5195  

Reference:         ASB-2016.0103
                   ESB-2017.1513
                   ESB-2017.1232
                   ESB-2017.0970

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10807

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local 
Privilege Escalation (CVE-2016-5195)

PRODUCT AFFECTED:

This issue affects Junos OS 14.1R, 14.1X53, 14.2R, 15.1R, 15.1F, 15.1F, 
15.1X49, 15.1X53, 16.1R. Affected platforms: vRR, vMX, SRX, EX, QFX, PTX, T. 
This issue affects Network and Security Manager 2012.2. This issue affects 
CTPView 7.1R, 7.2R1, 7.3R. This issue affected Sky Advanced Threat Prevention.

PROBLEM:

A race condition in Linux allows local users to gain privileges by leveraging
incorrect handling of a copy-on-write (COW) feature to write to a read-only 
memory mapping. This issue is also known as "Dirty COW."

Note for Junos OS in a virtualized environment:

Junos OS as Host OS with virtualized Junos Guest OS's; and Junos OS 
non-virtualized; or Junos OS as the Host OS is not vulnerable to this issue.

Customers using Junos OS as a Guest OS in a virtualized Linux-based 
environment such as VMWare, Wind River Linux, CentOS, Red Hat Enterprise 
Linux, etc. as the Host OS are advised that exploitation is not possible by 
default as there is no valid attack vector to exploit the vulnerability that 
Juniper ships with its products. The underlying Linux kernel in the Host OS 
may have the vulnerability present in the software packages Juniper provides.
Vulnerability scanners may alert that the vulnerability is present if these 
virtualization packages are used. Should customers make changes to these Host
OS Linux packages, customers may inadvertently expose this vulnerability to 
potential exploitation by an attacker. If customers require a fully-fixed 
version of Junos OS as Guest OS running on top of a Linux-Based Host OS, then
customers should move to a fixed version as listed in the Junos OS Solutions 
section of the advisory. If Juniper does not provide the underlying package, 
customers should consult their manufacturer for guidance.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability
on Juniper devices. However, public exploits are available for this 
vulnerability.

This issue has been assigned CVE-2016-5195.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:

Junos OS:

14.1X53-D46, 15.1X49-D80, 15.1X53-D49, 15.1X53-D61, 15.1X53-D470, 16.1R3-S6, 
and all subsequent releases. Any products using VMWare ESXi images should 
refer to VMWare's VMSA VMSA-2016-0018 advisory for guidance.

NSM:

2012.2R12 CentOS 6.5 Upgrade Package v3, and all subsequent releases.

CTP View:

7.1R4, and 7.3R2 and subsequent releases.

Sky ATP:

CVE-2016-5195 was fixed on Nov 17th 2016 for the Sky ATP cloud hosted service.

This issue is being tracked as PR 1227266 for Junos OS, 1226969 for CTPView, 
1227267 for Sky ATP and 1227270 for NSM and are visible on the Customer 
Support website.

WORKAROUND:

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. Use access lists or firewall 
filters to limit access to the device from trusted, administrative networks or
hosts.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

NSM Maintenance Releases are available at http://support.juniper.net from the
"Download Software" links. If a Maintenance Release is not adequate and access
to NSM patches is needed, open a customer support case. A JTAC engineer will 
review your request and respond, ensuring that you will be provided with the 
most appropriate Patch Release for your specific situation.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2016-5195 at cve.mitre.org

https://dirtycow.ninja/

https://www.vmware.com/security/advisories/VMSA-2016-0018.html

https://access.redhat.com/security/vulnerabilities/DirtyCow

https://access.redhat.com/security/cve/cve-2016-5195

Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation 
(CVE-2016-5195)

CVSS SCORE:

7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWd7+0ox+lLeg9Ub1AQgi0w//TPJjag1cZAZ8IEBovIOohvhO39dizTwn
swKS1d1vplUVZO+wpo2FUyOMZYJl5H1JxnSFqWmkZBnBWfJFb5YFnGb4Hs3EmWqG
244gqrBojj/smm7Nro2Gxvp3H+/kZ2P2dPX0MoKGgO0uBiPZAmcUiSbFU/KJjWuP
OoF+MGKSYDK7LyBY/jzcdLVUTmiV8dua6rZim78ZHltjCmyeaC+WLXMG5jq2nDQN
PhyhFV5p35a98Avpum8/rinHYyzw5Au2hE3uGLumQnR2QyeUcXdgQH+fKFNofWUl
KG+S0a98CJJFpJiEJa1B7BsTZabA1YfIyNM3BbD5M1WXPTyM+GOOufwMh0cxjgx/
fpCWzMEA4MynIGcOoBFzW3RATLxwFv+NwVQt1VONmx4H3T0acNp3B9BPJ5htwDtQ
MOfG06A1MdMAGOiYWfMj72ujYed4lQVtV64D70LRzT+tIGBmWmiMIYFSAtr2F4If
bHxvfRws2Co76fVnbA8ESEgHS1IDjrYkqBQ3HxOq0yqSBtrKdq/qZvKXhh67++V6
fyYeVxc4DwkeyLbi8XwTm178HPWBFTdiF+/zbncH+BnnATbI8cd9SDnoqODaWgT1
ow+VcV1pfc8us+/IrUcGDrL0g0X4ghiTBkRTuph3uSXIpz8D1bp/whxftodSAQhH
0fNF5BUgozw=
=U/0q
-----END PGP SIGNATURE-----

« Back to bulletins