ESB-2017.2628 - [Juniper] Juniper Junos OS: Multiple vulnerabilities 2017-10-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2628
Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities
    in Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).
                              19 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-13088 CVE-2017-13087 CVE-2017-13086
                   CVE-2017-13084 CVE-2017-13082 CVE-2017-13081
                   CVE-2017-13080 CVE-2017-13079 CVE-2017-13078
                   CVE-2017-13077  

Reference:         ESB-2017.2620
                   ESB-2017.2601
                   ESB-2017.2600
                   ESB-2017.2599

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10827&actp=RSS

- --------------------------BEGIN INCLUDED TEXT--------------------

Out-of-Cycle Security Bulletin: Multiple Products: Multiple vulnerabilities in
Wi-Fi Protected Access (WPA1/WPA2) protocols (aka KRACK attack).

Categories:

Junos

Security Products

Firewalls ISG/NS/SSG Series

SSG-5

SSG-20

SRX Series

SRX210

SRX240

SIRT Advisory

Article ID: JSA10827

Last Updated: 17 Oct 2017

Version: 4.0

PRODUCT AFFECTED:

This issue affects Junos OS 12.1X46. Affected platforms: SRX 210, 240 series 
firewalls with AX411 Wireless Access Points. This issue affects ScreenOS 6.3.
Affected platforms: ScreenOS SSG-5 and SSG-20 devices with embedded Wireless 
Access Points radios. This issue affects WLAN 9.2, 9.6. Affected platforms: 
MSS.

PROBLEM:

A series of Wi-Fi Protected Access (WPA/WPA1) and Wi-Fi Protected Access II 
(WPA2) security protocols used in Junipers SRX 210, 240 series firewalls which
support the AX411 Access Points, ScreenOS SSG-5 and SSG-20 firewalls with 
integrated WiFi radios, and lastly, the WLAN product line have one or more 
vulnerabilities present when these Wi-Fi radios are enabled.

This is a series of protocol level vulnerabilities and not specific to any 
Juniper products. WPA and WPA2 security protocols are present in nearly all 
modern Wi-Fi products.

Successful exploitation of these vulnerabilities could allow unauthenticated 
attackers to perform packet replay, decrypt wireless packets, and to 
potentially forge or inject packets into a wireless network.

The following CVE IDs have been issued for each of the possible 
vulnerabilities:

CVE-2017-13077 reinstallation of the pairwise key in the Four-way handshake

CVE-2017-13078 reinstallation of the group key in the Four-way handshake

CVE-2017-13079 reinstallation of the integrity group key in the Four-way 
handshake

CVE-2017-13080 reinstallation of the group key in the Group Key handshake

CVE-2017-13081 reinstallation of the integrity group key in the Group Key 
handshake

Juniper's products do not support Fast BSS Transition Reassociation and 
PeerKey Handshake so are Not Vulnerable to CVE-2017-13082, CVE-2017-13084, 
CVE-2017-13086, CVE-2017-13087, or CVE-2017-13088.

The research paper referenced in the related links section below can be 
reviewed for details.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

SOLUTION:

WLAN

MSS 9.2.1, 9.6.5, and all subsequent releases.

This issue is being tracked as PR 1297300 and is visible on the Customer 
Support website.

WORKAROUND:

There are no viable workarounds for these issues.

The following methods may be used to reduce the possibility of exploitation:

SRX 210, 240 series firewalls with AX411 Wireless Access Points:

Disabling all Wi-Fi configurations and setting all ports with AX411 Access 
Points administratively down will protect the SRX device from exploitation.

Customers may also physically disconnect the AX411 Wi-Fi Access Points from 
their network.

ScreenOS devices with embedded Wireless Access Points:

Disable all Wi-Fi configurations.

WLAN:

Disable all Wi-Fi Access Points until such time that the MSS can be upgraded.

IMPLEMENTATION:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:

Modification History:

2017-10-16: Initial publication

2017-10-17: Updated not vulnerable section of problem to reflect not 
vulnerable to: CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087,
or CVE-2017-13088. Removed SRX 650 reference which is EOE.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

https://papers.mathyvanhoef.com/ccs2017.pdf

AX411 Access Point Hardware

CVSS SCORE:

7.9 (CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

ACKNOWLEDGEMENTS:

Juniper SIRT would like to acknowledge and thank

   * researchers Mathy Vanhoef and Frank Piessens of DistriNet (Distributed 
Systems and Computer Networks) at the Computer Science department of the 
Katholieke Universiteit Leuven, Belgium for responsibly disclosing these 
vulnerabilities.

   * John A. Van Boxtel with Cyprus Semiconductor for finding that 
wpa_supplicant v2.6 is also vulnerable to CVE-2017-13077.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWefzrYx+lLeg9Ub1AQiXsA/+JYEYsWawVknWgWhWeK9errF4051a3SX9
iEnZhYKY5Y0jHs3Mcl09SdO9AQKIjNj2j3X83bOe1HhiTUlzVA17L4z7Fr01u/b0
IZatvfjNBMaoMqqblU7YcrWc88pchRY7ei+w8n5/DzBQfhwP9i58ZyLzsioHzvlm
Q7xU85fMYWzZUIPeaIwGD5VOfs11umKd3vCWTtVOG6419JtrZ6hE0Jl2C3kJSGK9
4Ri65mwOeu+4EbTuppu12+x/eDnarpUD+XoApIRNw4/eN3XSiT9XNY+fpblni0Hi
ZWXXCblscVm9aEwnHYbwuM8mPWf4th7LZDCuwH7ww78ott+WEU6VaHy71/SqXZTm
db08RvpFVioL/KIp2pujKrV6pkliK9HwYlFwQwKvyJhL10in+kcs+HRS9WpxnI+H
5tG7KooKEfLxniFCcGOdduN1fYgWvOBIek3y0H0zBZQi/aouRQmw8SZlS5g+pvec
FRqUDL/N5HSkRnGEjehNmYw8adftzcJzMm7h6RQw1vxznBXU05+awRAucMPE2GPr
JIdUqtgzyyBDLU5dsKz1YhDsxc3hHBVG+v4wxABE564fpc2rcZTyb8DyvGXRspB4
T360qmKqdoA59ef3bVA/pqhuzn0T10xIaMyjVFYFh65HPcx3rJ1Ci2PPHFoAem7d
+SdOm/rw7KM=
=G44G
-----END PGP SIGNATURE-----

« Back to bulletins