ESB-2017.2631 - [Juniper] Juniper Junos Space: Multiple vulnerabilities 2017-10-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2631
             2017-10 Security Bulletin: Junos Space: Multiple
                vulnerabilities resolved in 17.1R1 release
                              19 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos Space
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise                -- Existing Account            
                   Access Privileged Data         -- Remote/Unauthenticated      
                   Modify Arbitrary Files         -- Remote with User Interaction
                   Denial of Service              -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Existing Account            
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1000379 CVE-2017-1000371 CVE-2017-1000370
                   CVE-2017-1000369 CVE-2017-1000367 CVE-2017-1000366
                   CVE-2017-1000365 CVE-2017-1000364 CVE-2017-10624
                   CVE-2017-10623 CVE-2017-10612 CVE-2017-7494
                   CVE-2016-2519 CVE-2016-2518 CVE-2016-2517
                   CVE-2016-2516 CVE-2016-1551 CVE-2016-1550
                   CVE-2016-1549 CVE-2016-1548 CVE-2016-1547

Reference:         ESB-2017.2422
                   ESB-2017.1831
                   ESB-2017.1681
                   ESB-2017.1468
                   ASB-2016.0074
                   ASB-2016.0046

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10826&actp=RSS

- --------------------------BEGIN INCLUDED TEXT--------------------

2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 
17.1R1 release

Categories:

Junos Space

SIRT Advisory

Article ID: JSA10826 Last Updated: 17 Oct 2017

Version: 2.0

PRODUCT AFFECTED:

This issue affects Juniper Networks Junos Space versions prior to 17.1R1.

PROBLEM:

Multiple vulnerabilities have been resolved in Junos Space 17.1R1 release.

Important security issues resolved as a result of these upgrades include,

CVE 			CVSS base score 					Summary

CVE-2017-7494 		7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) 	Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, 
										allowing amalicious client to upload a shared library to a writable share, and 
										then cause the server to load and execute it.

CVE-2017-1000365 	2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) 	The Linux Kernel imposes a size restriction on the arguments and environmental 
										strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does 
										not take the argument and environment pointers into account, which allows 
										attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 
										and earlier. It appears that this feature was introduced in the Linux Kernel 
										version 2.6.23.

CVE-2017-1000366 	7.4 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 	glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH 
										values to manipulate the heap/stack, causing them to alias, potentially 
										resulting in arbitrary code execution. Please note that additional hardening 
										changes have been made to glibc to prevent manipulation of stack and heap 
										memory but these issues are not directly exploitable, as such they have not 
										been given a CVE. This affects glibc 2.25 and earlier.

CVE-2017-1000371 	2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) 	The offset2lib patch as used by the Linux Kernel contains a vulnerability, 
										if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated 
										(the maximum under the 1/4 restriction) then the stack will be grown down to 
										0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum 
										distance between the end of the PIE binary's read-write segment and the start 
										of the stack becomes small enough that the stack guard page can be jumped over 
										by an attacker. This affects Linux Kernel version 4.11.5. This is a different 
										issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be 
										limited to i386 based systems.

CVE-2017-1000379 	2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) 	The Linux Kernel running on AMD64 systems will sometimes map the contents of 
										PIE executable, the heap or ld.so to where the stack is mapped allowing 
										attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is 
										affected.

CVE-2016-2516 		7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) 			NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows 
										remote attackers to cause a denial of service (ntpd abort) by using the same 
										IP address multiple times in an unconfig directive. 

CVE-2017-1000367 	6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) 			Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input 
										validation (embedded spaces) in the get_process_ttyname() function resulting 
										in information disclosure and command execution.

CVE-2016-1548 		6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 			An attacker can spoof a packet from a legitimate ntpd server with an origin 
										timestamp that matches the peer->dst timestamp recorded for that server. After 
										making this switch, the NTP client will reject all future legitimate server 
										responses. It is possible to force the victim client to move time after the 
										mode has been changed. ntpq gives no indication that the mode has been switched.

CVE-2017-1000364 	6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) 			An issue was discovered in the size of the stack guard page on Linux, 
										specifically a 4k stack guard page is not sufficiently large and can be "jumped" 
										over (the stack guard page is bypassed), this affects Linux Kernel versions 
										4.11.5 and earlier (the stackguard page was introduced in 2010).

CVE-2016-1547 		5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 			An off-path attacker can cause a preemptible client association to be 
										demobilized in NTP by sending a crypto NAK packet to a victim client with a 
										spoofed source address of an existing associated peer. 
										This is true even if authentication is enabled.

CVE-2016-1550 		5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 			An exploitable vulnerability exists in the message authentication functionality 
										of libntp in NTP. An attacker can send a series of crafted messages to attempt 
										to recover the message digest key.

CVE-2016-2518 		5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 			The MATCH_ASSOC function in NTP allows remote attackers to cause an 
										out-of-bounds reference via an addpeer request with a large hmode value.

CVE-2016-2517 		4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 			NTP allows remote attackers to cause a denial of service (prevent subsequent 
										authentication) by leveraging knowledge of the controlkey or requestkey and 
										sending a crafted packet to ntpd, which changes the value of trustedkey, 
										controlkey, or requestkey. NOTE: this vulnerability exists because of a 
										CVE-2016-2516 regression.

CVE-2016-2519 		4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) 			ntpd allows remote attackers to cause a denial of service (ntpd abort) by a 
										large request data value, which triggers the ctl_getitem function to return a 
										NULL value.

CVE-2016-1549 		4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) 			A malicious authenticated peer can create arbitrarily-many ephemeral associations 
										in order to win the clock selection algorithm in ntpd and modify a victim's clock.

CVE-2016-1551 		2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) 			ntpd relies on the underlying operating system to protect it from requests that 
										impersonate reference clocks. Because reference clocks are treated like other 
										peers and stored in the same structure, any packet with a source ip address of a 
										reference clock (127.127.1.1 for example) that reaches the receive() function will 
										match thatreference clock's peer record and will be treated as a trusted peer. Any 
										system that lacks the typical martian packet filtering which would block these 
										packets is in danger of having its time controlled by an attacker.


CVE-2017-1000369 	2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) 			Exim supports the use of multiple "-p" command line arguments which are malloc()'ed 
										and never free()'ed, used in conjunction with other issues allows attackers to cause 
										arbitrary code execution. This affects exim version 4.89 and earlier. Please note 
										that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b
										790b90ae6c21), but it is not known if a new point release is available that addresses 
										this issue at this time. Apart of the above issues, Junos Space 17.1R1 also resolves 
										the following issues found during internal product testing:

CVE 			CVSS v2 base score 					Summary

CVE-2017-10612 		8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) 	A persistent site scripting vulnerability in Juniper Networks Junos Space allows 
										users who can change certain configuration to implant malicious Javascript or HTML 
										which may be used to steal information or perform actions as other Junos Space users 
										or administrators. (PR 1231289)

CVE-2017-10623 		7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) 	Lack of authentication and authorization of cluster messages in Juniper Networks 
										Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or 
										disrupt Junos Space cluster operations between two nodes. (PR 983910)

CVE-2017-10624 		7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) 	Insufficient verification of node certificates in Juniper Networks Junos Space may 
										allow aman-in-the-middle type of attacker to make unauthorized modifications of Space 
										database or add nodes. (PR 1176959)

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

SOLUTION:

The following software releases have been updated to resolve these issues: 
17.1R1 and all subsequent releases.

These issues are being tracked as PRs 1290443, 1231289, 983910, 1176959, 
1214448 and are visible on the Customer Support website.

WORKAROUND:

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of 
critical infrastructure networking equipment. Use access lists or firewall 
filters to limit access to the device from trusted, administrative networks or
hosts.

IMPLEMENTATION:

Junos Space Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/space.

MODIFICATION HISTORY:

2017-10-11: Initial Publication.

2017-10-17: Fix summary descriptions of CVE-2017-10623, CVE-2017-10624.

RELATED LINKS:

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVSS SCORE:

8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWegCn4x+lLeg9Ub1AQjPeQ//Q7cZYRe/IpHQzdV4WePF7eTfG1P7Pbhx
zkRWD94mdh/vkQYi6VnrespoyVsyCnJBkSJe5fZebRoiRBRUG+1T3c6ETCXlAQ0G
0TNVXaSWV3QDef09RHZjdnI0jTtBgjHjopKtV73HdZz6Io18Gypy4cIZI+dxa3+L
zAnO59hOpIOo4COSaKYcxJakg0chh7d/ePhyaJnxBVUSXV9olOx8L53jPBF7uMrN
+baTf3fjRJyv0XJ7IsgbnN6whcTVkvCO37YAXW5LMB11VFZ7kKhbQ7tZpKIuDXFp
MOvUVK4XtWAxmAgG+dbj5Nhms6/cR8DTB09v8C3MsIWtivjL+NjKQcBgZZHmh/C3
JJXfYwHkhK+fZl2COk4M3ZgufGBgcpJF4r3yApQ0AEH6UJ8jNDEZJQq54hhJV1Q6
ZuzHotV8V4EJ37ZRjTBfKaseknY1ofpr/ddz5v3agewwpIOioidtmZMsY4Vt2DAI
R2dWco8qSJF71ryOio0m2V2zmxA0QQFixjey61x6EpF/6rVk0+MbmPQggWvWqU6D
QqubHRk+fTuF7VKkJ/Uiw4iDuEHaPpG8wCVzl0b6Q7ZuKJJNKSzwdr31cytchk8j
EQUrdyKRBUiUBQxzZx/aDW+MasT9sjUAHDyw5VLFuAwNNY/qMKYIvz2YfycdKCzy
PnbVas0107w=
=HXtw
-----END PGP SIGNATURE-----

« Back to bulletins