ESB-2017.2575 - [Juniper] Juniper Multiple Products: Root compromise - Existing account 2017-10-12

Printable version
PGP/GPG verifiable version

Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

  2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel
                Local Privilege Escalation (CVE-2016-5195)
                              12 October 2017


        AusCERT Security Bulletin Summary

Product:           Juniper Multiple Products
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5195  

Reference:         ASB-2016.0103

Original Bulletin:

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local 
Privilege Escalation (CVE-2016-5195)


This issue affects Junos OS 14.1R, 14.1X53, 14.2R, 15.1R, 15.1F, 15.1F, 
15.1X49, 15.1X53, 16.1R. Affected platforms: vRR, vMX, SRX, EX, QFX, PTX, T. 
This issue affects Network and Security Manager 2012.2. This issue affects 
CTPView 7.1R, 7.2R1, 7.3R. This issue affected Sky Advanced Threat Prevention.


A race condition in Linux allows local users to gain privileges by leveraging
incorrect handling of a copy-on-write (COW) feature to write to a read-only 
memory mapping. This issue is also known as "Dirty COW."

Note for Junos OS in a virtualized environment:

Junos OS as Host OS with virtualized Junos Guest OS's; and Junos OS 
non-virtualized; or Junos OS as the Host OS is not vulnerable to this issue.

Customers using Junos OS as a Guest OS in a virtualized Linux-based 
environment such as VMWare, Wind River Linux, CentOS, Red Hat Enterprise 
Linux, etc. as the Host OS are advised that exploitation is not possible by 
default as there is no valid attack vector to exploit the vulnerability that 
Juniper ships with its products. The underlying Linux kernel in the Host OS 
may have the vulnerability present in the software packages Juniper provides.
Vulnerability scanners may alert that the vulnerability is present if these 
virtualization packages are used. Should customers make changes to these Host
OS Linux packages, customers may inadvertently expose this vulnerability to 
potential exploitation by an attacker. If customers require a fully-fixed 
version of Junos OS as Guest OS running on top of a Linux-Based Host OS, then
customers should move to a fixed version as listed in the Junos OS Solutions 
section of the advisory. If Juniper does not provide the underlying package, 
customers should consult their manufacturer for guidance.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability
on Juniper devices. However, public exploits are available for this 

This issue has been assigned CVE-2016-5195.


The following software releases have been updated to resolve this specific 

Junos OS:

14.1X53-D46, 15.1X49-D80, 15.1X53-D49, 15.1X53-D61, 15.1X53-D470, 16.1R3-S6, 
and all subsequent releases. Any products using VMWare ESXi images should 
refer to VMWare's VMSA VMSA-2016-0018 advisory for guidance.


2012.2R12 CentOS 6.5 Upgrade Package v3, and all subsequent releases.

CTP View:

7.1R4, and 7.3R2 and subsequent releases.

Sky ATP:

CVE-2016-5195 was fixed on Nov 17th 2016 for the Sky ATP cloud hosted service.

This issue is being tracked as PR 1227266 for Junos OS, 1226969 for CTPView, 
1227267 for Sky ATP and 1227270 for NSM and are visible on the Customer 
Support website.


There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. Use access lists or firewall 
filters to limit access to the device from trusted, administrative networks or


Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

NSM Maintenance Releases are available at from the
"Download Software" links. If a Maintenance Release is not adequate and access
to NSM patches is needed, open a customer support case. A JTAC engineer will 
review your request and respond, ensuring that you will be provided with the 
most appropriate Patch Release for your specific situation.


2017-10-11: Initial Publication.


KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2016-5195 at

Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation 


7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)




KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.


« Back to bulletins