ESB-2017.2577 - [Juniper] Juniper SRX Series: Multiple vulnerabilities 2017-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2577
                   2017-10 Security Bulletin: SRX Series
                              12 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper SRX Series
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Privileged Data -- Existing Account      
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10610 CVE-2017-10608 CVE-2017-10606

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10811
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10813

Comment: This bulletin contains three (3) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series
TPM Firmware (CVE-2017-10606)

PRODUCT AFFECTED:

This issue affects Juniper Networks Junos OS 15.1X49 prior to TPM firmware 
version 4.43 on SRX300 Series.

PROBLEM:

Version 4.40 of the TPM (Trusted Platform Module) firmware has a weakness in 
generating cryptographic keys that may allow an attacker to decrypt sensitive
information in SRX300 Series products. The TPM is used in the SRX300 Series to
encrypt sensitive configuration data. While other products also ship with a 
TPM, no other products or platforms are affected by this vulnerability.

Customers can confirm the version of TPM firmware via the 'show security tpm 
status' command:

user@junos> show security tpm status

TPM Status:

  Enabled: yes

  Owned: no

  Master Binding Key: not-created

  Master Encryption Key: not-configured

        TPM Family: 1.2

        TPM Firmware revision: 4.40

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10606.

SOLUTION:

TPM firmware version 4.43 resolves this specific issue. Updating TPM firmware
requires one of the following software releases: Junos OS 15.1X49-D111*, 
17.4R1, or any subsequent release.

Note: Junos OS 17.3 is unaffected by this issue since TPM functionality is not
supported in this release.

The TPM firmware is then updated via a special "jtpm" package available for 
download along with the updated Junos OS package. After upgrading to a fixed 
release above, execute the following command to update the TPM firmware:

user@junos> request system software add jtpm-15.1X49-D111-signed.tgz

When the TPM firmware is updated, the log message "TPM firmware updated 
successfully." will appear on the screen. After updating the TPM firmware, 
reboot the system using the request system reboot command.

Once system reboots, verify TPM status using the show security tpm status 
command. The TPM Firmware revision should show as 4.43 instead of 4.40.

This issue is being tracked as PR 1293114 and is visible on the Customer 
Support website.

*Due to unforeseen circumstances, Junos OS 15.1X49-D111 will not be available
until October 18, 2017.

WORKAROUND:

Until the TPM firmware can be updated, use access lists or firewall filters to
limit access to the router via CLI only from trusted hosts, and limit access 
to the Junos shell only to trusted administrators.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

2017-10-11: Release of 15.1X49-D111 delayed until 2017-10-18. Workaround 
updated.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2017-10606 at cve.mitre.org

CVSS SCORE:

4.4 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

============================================================

2017-10 Security Bulletin: SRX Series: SRX Series using IPv6 Sun/MS-RPC ALGs 
may experience flowd crash on processing packets. (CVE-2017-10608)

PRODUCT AFFECTED:

This issue can affect all SRX Series services gateways.

PROBLEM:

Any SRX Series device with one or more ALGs enabled may experience a flowd 
crash when traffic is processed by the Sun/MS-RPC ALGs. This vulnerability in
the Sun/MS-RPC ALG services component of Junos OS allows an attacker to cause
a repeated denial of service against the target. Repeated traffic in a cluster
may cause repeated flip-flop failure operations or full failure to the flowd 
daemon halting traffic on all nodes.

Only IPv6 traffic is affected by this issue. IPv4 traffic is unaffected. This
issues is not seen with to-host traffic.

This issue has no relation with HA services themselves, only the ALG service.

Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55 
on SRX; 12.1X47 prior to 12.1X47-D45 on SRX; 12.3X48 prior to 12.3X48-D32, 
12.3X48-D35 on SRX; 15.1X49 prior to 15.1X49-D60 on SRX.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however the issue has been seen in a production network.

This issue has been assigned CVE-2017-10608.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D55, 12.3X48-D32, 12.3X48-D35, 15.1X49-D60, 17.3R1 and
all subsequent releases.

This issue is being tracked as PR 1189443 and is visible on the Customer 
Support website.

WORKAROUND:

Disable Sun/MS-RPC ALGs on the SRX Series device.

Disable IPv6 on the device.

example:

deactivate interfaces xe-0/0/0 unit 0 family inet6 address 2000::254/64

Filtering incoming IPv6, or Sun/MS-RPC from the device is also an option.

example:

set interfaces xe-0/0/0 unit 0 family inet6 filter input TEST ==> apply to 
interface

set firewall family inet6 filter TEST term t1 from destination-port 135

set firewall family inet6 filter TEST term t1 then discard

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2017-10608: SRX series: SRX Series using IPv6 Sun/MS-RPC ALGs may 
experience flowd crash on processing packets.

CVSS SCORE:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

===============================================================

2017-10 Security Bulletin: SRX Series: Embedded ICMP may cause the flowd 
process to crash (CVE-2017-10610)

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX
Series.

PROBLEM:

On SRX Series devices, a crafted ICMP packet embedded within a NAT64 IPv6 to 
IPv4 tunnel may cause the flowd process to crash. Repeated crashes of the 
flowd process constitutes an extended denial of service condition for the SRX
Series device. This issue only occurs if NAT64 is configured.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, the issue has been seen in a production network.

This issue has been assigned CVE-2017-10610.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 12.1X46-D71, 12.3X48-D55, 15.1X49-D100, 17.3R1, and all subsequent 
releases.

This issue is being tracked as PR 1270680 and is visible on the Customer 
Support website.

WORKAROUND:

No viable workaround exists for this issue.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

Configuring Stateful NAT64

CVE-2017-10610 at cve.mitre.org

CVSS SCORE:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWd7/LYx+lLeg9Ub1AQj2lA/8Dv4tfcdBozgu3JSBzWneuqFdE/4bUAc2
QHEiQcljexgeTn6yaqAG00aEgsH56D5qc7LNboO7lg1yxSDmOgtpiCUZ8FW53i96
tBrHVvlTYB1amCka6FlVIQWS5UbtbUCxSR2qO6iS5U0ExOYNYm6WcY/Hu+jr6h6P
xK2U43QjaC3KbdWubdOGPXWvc7Ui2KKNMwdjxV87403U8HKMRxvGAOYg4KWVZr4B
iUMdRszAj16cpsGisP4/mkT2AMRlIDFxxAUS1s44EKlcQXAGM5yfcpkICZ0b8mui
7pr1m/0mIfnUerD6wHRF4kRlEaTyphMTEc3Dxj55utn3LuZ5ZuTciErBjxy0tnbc
xxstdVGzmSLbpjiGcNYlqeJ1gibGlSjvv5DPVNSj0PG/ZxClhDoMvsro/JOYnFfz
YWIb1xJEr1cbon2u0cIEHnKIn2Qd77KSmwqVsQSg/q069bUhWcDKYtbzM9lDXzrQ
444whP3lprAD+44vdfygv5GOK3u0T2BGRZTI+VNg10Ve0kzxW6FS8nXMRMGaHDCd
oAcJLNumU/OKxB2cdNaqZJtd1GSomL7+2yj8vlS1aeARA3xxdYZ0gv2GoEZr6XjC
qc5eETUPhX0Yf6c0hsTspHoDw5gkqt2ig7KwhwUsIx+WpTM5kbEk/I9wXQqLptHp
upUDezgOYoI=
=qAZS
-----END PGP SIGNATURE-----

« Back to bulletins