ESB-2017.2578 - [Juniper] Juniper Junos: Denial of service - Remote/unauthenticated 2017-10-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2578
                     2017-10 Security Bulletin: Junos:
                              12 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10621 CVE-2017-10614 CVE-2017-10613
                   CVE-2017-10611 CVE-2017-10607 

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10810
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10814
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10816
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10817

Comment: This bulletin contains four (4) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-10 Security Bulletin: Junos: rpd core due to receipt of specially crafted
BGP packet (CVE-2017-10607)

PRODUCT AFFECTED:

This issue only affects Juniper Networks Junos OS 16.1 prior to 16.1R2.

PROBLEM:

Junos OS 16.1R1, and services releases based off of 16.1R1, are vulnerable to
the receipt of a crafted BGP Protocol Data Unit (PDU) sent directly to the 
router, which can cause the RPD routing process to crash and restart. Unlike 
BGP UPDATEs, which are transitive in nature, this issue can only be triggered
by a packet sent directly to the IP address of the router. Repeated crashes of
the rpd daemon can result in an extended denial of service condition.

This issue only affects devices running Junos OS 16.1R1 and services releases
based off of 16.1R1 (e.g. 16.1R1-S1, 16.1R1-S2, 16.1R1-S3). No prior versions
of Junos OS are affected by this vulnerability, and this issue was resolved in
Junos OS 16.2 prior to 16.2R1. No other Juniper Networks products or platforms
are affected by this issue.

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10607.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 16.1R2, 16.2R1, and all subsequent releases.

This issue is being tracked as PRs 1161558 and 1214828 which are visible on 
the Customer Support website.

WORKAROUND:

There are no known workaround for this issue.

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. When possible, use access lists
or firewall filters to limit access to the device from trusted, administrative
networks or hosts.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2017-10607 at cve.mitre.org

CVSS SCORE:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

=============================================================

2017-10 Security Bulletin: Junos: EX Series PFE and MX MPC7E/8E/9E PFE crash 
when fetching interface stats with 'extended-statistics' enabled 
(CVE-2017-10611)

   [JSA10814] Show Article Properties

PRODUCT AFFECTED: This issue affects Junos OS on MX Series, EX2200, EX3300, 
XRE200. PROBLEM: If extended statistics are enabled via 'set chassis 
extended-statistics', when executing any operation that fetches interface 
statistics, including but not limited to SNMP GET requests, the pfem process 
or the FPC may crash and restart. Repeated crashes of PFE processing can 
result in an extended denial of service condition.

This issue only affects the following platforms:

EX2200, EX3300, XRE200 MX Series routers with MPC7E/8E/9E PFEs installed. and
only if 'extended-statistics' are enabled under the [edit chassis] 
configuration.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, the issue has been seen in a production network.

This issue has been assigned CVE-2017-10611.

SOLUTION: The following software releases have been updated to resolve this 
specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 
14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S3, 15.1R6, 16.1R4-S5, 16.1R5, 
16.1X65-D45, 16.2R2-S1, 16.2R3, 17.1R2-S2, 17.1R3, 17.2R1-S3, 17.2R2, 
17.2X75-D50, 17.3R1-S1, 17.3R2, 17.4R1, and all subsequent releases.

This issue is being tracked as PR 1247026 and is visible on the Customer 
Support website.

WORKAROUND: Disable chassis extended-statistics.

Use access lists or firewall filters to limit access to the router via SNMP or
CLI only from trusted hosts and administrators.

IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next 
available Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate 
time-frame. For these cases, Service Releases are made available in order to 
be more timely. Security Advisory and Security Notices will indicate which 
Maintenance and Service Releases contain fixes for the issues described. Upon
request to JTAC, customers will be provided download instructions for a 
Service Release. Although Juniper does not provide formal Release Note 
documentation for a Service Release, a list of "PRs fixed" can be provided on
request.

MODIFICATION HISTORY: 2017-10-11: Initial Publication.

RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly 
Security Bulletin Publication Process KB16765: In which releases are 
vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories Report a Security Vulnerability - How to Contact
the Juniper Networks Security Incident Response Team CVE-2017-10611 at 
cve.mitre.org CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) 
RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses 
CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories."

===========================================================================

2017-10 Security Bulletin: Junos OS: A kernel hang may occur due to a specific
loopback filter action command (CVE-2017-10613)

PRODUCT AFFECTED:

Junos OS

PROBLEM:

A vulnerability in a specific loopback filter action command, processed in a 
specific logical order of operation, in a running configuration of Juniper 
Networks Junos OS, allows an attacker with CLI access and the ability to 
initiate remote sessions to the loopback interface with the defined action, to
hang the kernel.

Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55;
12.3X48 prior to 12.3X48-D35; 14.1 prior to 14.1R8-S4, 14.1R9; 14.1X53 prior 
to 14.1X53-D40; 14.2 prior to 14.2R4-S9, 14.2R7-S8, 14.2R8; 15.1 prior to 
15.1F5-S3, 15.1F6, 15.1R4; 15.1X49 prior to 15.1X49-D60; 15.1X53 prior to 
15.1X53-D47; 16.1 prior to 16.1R2.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, the issue has been seen in a production network.

This issue has been assigned CVE-2017-10613.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue: 12.1X46-D55, 12.3X48-D35, 14.1R8-S4, 14.1R9*, 14.1X53-D40*, 14.2R4-S9,
14.2R7-S8, 14.2R8*, 15.1F5-S3, 15.1F6, 15.1R4, 15.1X49-D60, 15.1X53-D47, 
16.1R2, 16.2R1, and all subsequent releases.

This issue is being tracked as PR 1167423 and is visible on the Customer 
Support website.

*Fix Pending Publication

WORKAROUND:

Discontinue the use of allowing remote sessions to be issued from the local 
device to reach loopback address(es).

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. Use access lists or firewall 
filters to limit access to the device from trusted, administrative networks or
hosts.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2017-10613: Junos OS: A kernel hang may occur due to a specific loopback 
filter action command

CVSS SCORE:

5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

==================================================================

2017-10 Security Bulletin: Junos OS: Denial of service vulnerabilities in 
telnetd (CVE-2017-10614, CVE-2017-10621)

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 
15.1X49, 15.1X53, 16.1, 16.2.

PROBLEM:

Two vulnerabilities in telnetd service on Juniper Networks Junos OS may allow
a remote unauthenticated attacker to cause a denial of service through memory
and/or CPU consumption.

These issues were found during internal product security testing.

No other Juniper Networks products or platforms are affected by this issue.

These issues have been assigned CVE-2017-10614 and CVE-2017-10621.

This issue only affects systems with telnet enabled, which is disabled by 
default.

Juniper SIRT is not aware of any malicious exploitation of these 
vulnerabilities.

SOLUTION:

CVE-2017-10614 is resolved in: 12.1X46-D45, 12.3X48-D30, 14.1R4-S9, 14.1R8, 
14.2R6, 15.1F5, 15.1R3, 15.1X49-D40, 15.1X53-D232, 15.1X53-D47, 16.1R1, and 
all subsequent releases.

CVE-2017-10614 is being tracked as PR 1108483 and is visible on the Customer 
Support website.

CVE-2017-10621 is resolved in: 12.1X46-D71, 12.3X48-D50, 14.1R8-S5, 14.1R9, 
14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F2-S16, 15.1F5-S7, 15.1F6-S6,
15.1R5-S2, 15.1R6, 15.1X49-D100, 15.1X49-D90, 15.1X53-D47, 16.1R4-S1, 16.1R5,
16.2R1-S3, 16.2R2, 17.1R1, and all subsequent releases.

CVE-2017-10614 is being tracked as PR 1159841 and is visible on the Customer 
Support website.

WORKAROUND:

Disabling the telnet service will completely mitigate these issues.

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. Use access lists or firewall 
filters to limit access to the device via telnet from trusted, administrative
networks or hosts.

IMPLEMENTATION:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWd8BIYx+lLeg9Ub1AQiqxRAAqpEUJ4KdtklTUIQFi1AU6ehiCImWhJi/
dQatc6LB8mpCAuXD7skrAuOGNtAZqb8P1rUl6NDwJm8ql4vIohsXab7DGzqvAXvB
waOOX6EA6d2as+I3ZmI20jGV/P27tkQw4ctt7Ekk+nFsPKAF/FbFJl8ib/6fl0o9
uOEY9vI6brMNtZFy6gDbvFnoBFsVjA9RjQm+6K350dTeZGlCY+JjAL/oMIY1/r8M
YAkpCxX06OsGpHXHRmhSOv8pI7TRQ07QLA3WDb3cc8zwv4xICbjqsONWFpn+zLsF
OkG4lS1FzoBLKN55bGdSqJvCZtH2F8zKRVh1WeyvPg9fOFzyJGPMycDf12/2z9nR
xoJim9vhzuTxg1YcAo1gGSnyIcYVrLfhu5FbIF7Sy0UGEpH7jqLoiQxZIAS7ZiN2
Odz95Z0wxqz3X5GhzRVfHEDM3G/+qvI1643Ts5uIhFPZmporRa20IbFqhsG+ED/E
/n7erq0esNfQ4Bh6ZXSGwT2J6HhuNJlB++xgyWMbVFoNtI22qBe1hhShtL9HupIG
p/sNXX16y8YmhpZAeR3ki60gah12vDqyjrvtzVqUZ/CWSk46VbVGPCRNKecJyZYM
1VMGqBWJQbaNsokq90GaEYhFha3h3yUp8KuKJ5sBqR0PS1rCNyiKnZUHpUxXlpzq
ComPsHZ9hEc=
=zDxa
-----END PGP SIGNATURE-----

« Back to bulletins