ESB-2018.0129 - [Juniper] Juniper Junos OS: Multiple vulnerabilities 2018-01-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0129
               Multiple vulnerabilities have been identified
                              11 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Root Compromise                 -- Console/Physical      
                   Denial of Service               -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0009 CVE-2018-0008 CVE-2018-0007
                   CVE-2018-0006 CVE-2018-0005 CVE-2018-0004
                   CVE-2018-0003 CVE-2018-0002 CVE-2018-0001
                   CVE-2016-8858  

Reference:         ESB-2017.0477
                   ESB-2017.0208
                   ESB-2017.0172
                   ESB-2016.2946
                   ESB-2016.2583

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10828
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10829
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10830
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10831
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10832
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10833
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10834
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10835
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10836
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10837

Comment: This bulletin contains ten (10) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-01 Security Bulletin: Junos: Unauthenticated Remote Code Execution
through J-Web interface (CVE-2018-0001)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2,
15.1, 15.1X49, 15.1X53.

Problem:
A remote, unauthenticated attacker may be able to execute code by exploiting
a use-after-free defect found in older versions of PHP through injection of
crafted data via specific PHP URLs within the context of the J-Web process.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D67;
    12.3 versions prior to 12.3R12-S5;
    12.3X48 versions prior to 12.3X48-D35;
    14.1 versions prior to 14.1R8-S5, 14.1R9;
    14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50;
    14.2 versions prior to 14.2R7-S7, 14.2R8;
    15.1 versions prior to 15.1R3;
    15.1X49 versions prior to 15.1X49-D30;
    15.1X53 versions prior to 15.1X53-D70.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0001.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D67, 12.3R12-S8*, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D44,
14.1X53-D50, 14.2R7-S7, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R7,
15.1X49-D100, 15.1X53-D70, 16.1R4-S6, 16.1R5, 16.2R2-S2, 16.2R3, 17.1R2-S5*,
17.1R3*, 17.2R2, 17.3R1, and all subsequent releases.
*Pending release

Note: While Junos OS 12.3R12-S5, 12.3X48-D35, 15.1F2+, 15.1R3, 15.1X49-D30,
and all subsequent releases are not vulnerable, this issue has been
proactively resolved.

This issue is being tracked as PR 1269932 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Disable J-Web, or limit access to only trusted hosts.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:

2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0001: Junos: Unauthenticated Remote Code Execution through
    J-Web interface

CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:
Juniper SIRT would like to acknowledge and thank Cure53 for responsibly
reporting this vulnerability.

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: MX series, SRX series: Junos OS: Denial of
service vulnerability in Flowd on devices with ALG enabled. (CVE-2018-0002)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3X48, 14.1, 14.2, 15.1, 15.1X49,
16.1, 16.2, 17.1. Affected platforms: MX series, SRX series.

Problem:

On SRX Series and MX Series devices with a Service PIC with any ALG
enabled, a crafted TCP/IP response packet processed through the device
results in memory corruption leading to a flowd daemon crash. Sustained
crafted response packets lead to repeated crashes of the flowd daemon
which results in an extended Denial of Service condition.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D60 on SRX series;
    12.3X48 versions prior to 12.3X48-D35 on SRX series;
    14.1 versions prior to 14.1R9 on MX series;
    14.2 versions prior to 14.2R8 on MX series;
    15.1X49 versions prior to 15.1X49-D60 on SRX series;
    15.1 versions prior to 15.1R5-S8, 15.1F6-S9, 15.1R6-S4, 15.1R7 on
    MX series;
    16.1 versions prior to 16.1R6 on MX series;
    16.2 versions prior to 16.2R3 on MX series;
    17.1 versions prior to 17.1R2-S4, 17.1R3 on MX series.

No other Juniper Networks products or platforms are affected by this issue.

This issue affects any enabled IPv4 ALG.

This issue only affects IPv4.  This issue does not affect IPv6.

This issue affects unicast traffic only.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0002.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D60, 12.3X48-D35, 14.1R9, 14.2R8, 15.1X49-D60, 15.1R5-S8,
15.1R6-S4, 15.1F6-S9, 15.1R7, 16.1R6, 16.2R3, 17.1R2-S4, 17.1R3, 17.2R1
and all subsequent releases.

This issue is being tracked as 1183181 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Disable IPv4 ALG's on affected devices.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0002: MX series, SRX series: Junos OS: Denial of service
    vulnerability in Flowd on devices with ALG enabled.

CVSS Score:
8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos OS: Malicious LLDP crafted packet leads
to privilege escalation, denial of service. (CVE-2018-0007)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2,
15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1.

Problem:
An unauthenticated network-based attacker able to send a maliciously crafted
LLDP packet to the local segment, through a local segment broadcast,
may be able to cause a Junos device to enter an improper boundary check
condition allowing a memory corruption to occur, leading to a denial of
service. Further crafted packets may be able to sustain the denial of service
condition. Score: 6.5 MEDIUM (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Further, if the attacker is authenticated on the target device receiving
and processing the malicious LLDP packet, while receiving the crafted
packets, the attacker may be able to perform command or arbitrary code
injection over the target device thereby elevating their permissions
and privileges, and taking control of the device. Score: 7.8 HIGH
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated network-based attacker able to send a maliciously crafted
LLDP packet to one or more local segments, via LLDP proxy / tunneling agents
or other LLDP through Layer 3 deployments, through one or more local segment
broadcasts, may be able to cause multiple Junos devices to enter an improper
boundary check condition allowing a memory corruption to occur, leading to
multiple distributed Denials of Services. These Denials of Services attacks
may have cascading Denials of Services to adjacent connected devices, impacts
network devices, servers, workstations, etc. Further crafted packets may
be able to sustain these Denials of Services conditions. Score 6.8 MEDIUM
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H)

Further, if the attacker is authenticated on one or more target devices
receiving and processing these malicious LLDP packets, while receiving the
crafted packets, the attacker may be able to perform command or arbitrary
code injection over multiple target devices thereby elevating their
permissions and privileges, and taking control multiple devices. Score:
7.8 HIGH (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D71;
    12.3 versions prior to 12.3R12-S7;
    12.3X48 versions prior to 12.3X48-D55;
    14.1 versions prior to 14.1R8-S5, 14.1R9;
    14.1X53 versions prior to 14.1X53-D46, 14.1X53-D50, 14.1X53-D107;
    14.2 versions prior to 14.2R7-S9, 14.2R8;
    15.1 versions prior to 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R5-S7,
    15.1R7;
    15.1X49 versions prior to 15.1X49-D90;
    15.1X53 versions prior to 15.1X53-D65;
    16.1 versions prior to 16.1R4-S6, 16.1R5;
    16.1X65 versions prior to 16.1X65-D45;
    16.2 versions prior to 16.2R2;
    17.1 versions prior to 17.1R2.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0007.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D71, 12.3X48-D55, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5,
14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F2-S17, 15.1F5-S8,
15.1F6-S8, 15.1R7, 15.1X49-D90, 15.1X53-D65, 16.1R4-S6, 16.1R5, 16.1X65-D45,
16.2R2, 17.1R2, 17.2R1, and all subsequent releases.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

This issue is being tracked as 1252823 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:

No viable workarounds exist other than to implement IDP or other filters
for the LLDP packet itself from reaching LLDP proxy agents, or devices
receiving and processing LLDP packets.

It is good security practice to limit the exploitable attack surface of
critical infrastructure networking equipment. Use access lists or firewall
filters to limit access to the device via all means to only trusted,
administrative networks, hosts and users.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0007: Junos OS: Malicious LLDP crafted packet leads to
    privilege escalation, denial of service.

CVSS Score:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:
We would like to would like to acknowledge and thank,

    UK's National Cyber Security Centre (NCSC)

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos OS: A crafted MPLS packet may lead to a
kernel crash (CVE-2018-0003)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3R12, 12.3X48, 14.1, 14.1X53,
14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75.

Problem:

A specially crafted MPLS packet received or processed by the system, on
an interface configured with MPLS, will store information in the system
memory. Subsequently, if this stored information is accessed, this may
result in a kernel crash leading to a denial of service.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D71;
    12.3R12 versions prior to 12.3R12-S7;
    12.3X48 versions prior to 12.3X48-D55;
    14.1 versions prior to 14.1R8-S5, 14.1R9;
    14.1X53 versions prior to 14.1X53-D45, 14.1X53-D107;
    14.2 versions prior to 14.2R7-S7, 14.2R8;
    15.1 versions prior to 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R6-S3,
    15.1R7;
    15.1X49 versions prior to 15.1X49-D100;
    15.1X53 versions prior to 15.1X53-D65, 15.1X53-D231;
    16.1 versions prior to 16.1R3-S6, 16.1R4-S6, 16.1R5;
    16.1X65 versions prior to 16.1X65-D45;
    16.2 versions prior to 16.2R2-S1, 16.2R3;
    17.1 versions prior to 17.1R2-S2, 17.1R3;
    17.2 versions prior to 17.2R1-S3, 17.2R2;
    17.2X75 versions prior to 17.2X75-D50.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0003.

Solution:

The following software releases have been updated to resolve this
specific issue: 12.1X46-D71, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5, 14.1R9,
14.1X53-D45, 14.1X53-D107, 14.2R7-S7, 14.2R8, 15.1F5-S8, 15.1F6-S8,
15.1R5-S6, 15.1R6-S3, 15.1R7, 15.1X49-D100, 15.1X53-D65, 15.1X53-D231,
16.1R3-S6, 16.1R4-S6, 16.1R5, 16.1R3-S6, 16.1R4-S6, 16.1R5, 16.1X65-D45,
16.2R2-S1, 16.2R3, 17.1R2-S2, 17.1R3, 17.2R1-S3, 17.2R2, 17.2X75-D50,
17.3R1, and all subsequent releases.

This issue is being tracked as 1276786 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Disallow MPLS packets from reaching the device.
Remove MPLS configuration stanzas from interface configurations that are
at risk.
No other viable workarounds exist for this issue.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0003: Junos OS: A crafted MPLS packet may lead to a kernel crash

CVSS Score:
6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos OS: Kernel Denial of Service Vulnerability
(CVE-2018-0004)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3R, 12.3X48, 14.1, 14.1X53, 14.2,
15.1, 15.1X49, 15.1X53.

Problem:
A sustained sequence of different types of normal transit traffic can
trigger a high CPU consumption denial of service condition in the Junos OS
register and schedule software interrupt handler subsystem when a specific
command is issued to the device.  This affects one or more threads and
conversely one or more running processes running on the system.  Once this
occurs, the high CPU event(s) affects either or both the forwarding and
control plane.	As a result of this condition the device can become
inaccessible in either or both the control and forwarding plane and
stops forwarding traffic until the device is rebooted.	Score: 5.7 MEDIUM
(CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

For network designs utilizing layer 3 forwarding agents or other ARP
through layer 3 technologies, the score is slightly higher.  Score: 6.5
MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

The issue will reoccur after reboot upon receiving further transit traffic.

If the following entry exists in the RE message logs then this may indicate
the issue is present. This entry may or may not appear when this issue
occurs.
/kernel: Expensive timeout(9) function:

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D50;
    12.3X48 versions prior to 12.3X48-D30;
    12.3R versions prior to 12.3R12-S7;
    14.1 versions prior to 14.1R8-S4, 14.1R9;
    14.1X53 versions prior to 14.1X53-D30, 14.1X53-D34;
    14.2 versions prior to 14.2R8;
    15.1 versions prior to 15.1F6, 15.1R3;
    15.1X49 versions prior to 15.1X49-D40;
    15.1X53 versions prior to 15.1X53-D31, 15.1X53-D33, 15.1X53-D60.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0004.

Solution:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D50, 12.3R12-S7, 12.3X48-D30, 14.1R8-S4, 14.1R9, 14.1X53-D30,
14.1X53-D34, 14.2R8, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D31, 15.1X53-D33,
15.1X53-D60, 16.1R1, and all subsequent releases.

This issue is being tracked as 1145306 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
There are no viable workarounds for this issue.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0004: Junos OS: Kernel Denial of Service Vulnerability

CVSS Score:
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos OS: MAC move limit configured to drop
traffic may forward traffic. (CVE-2018-0005)

Product Affected:
This issue affects Junos OS 14.1X53, 15.1, 15.1X53.

Problem:

QFX and EX Series switches configured to drop traffic when the MAC move
limit is exceeded will forward traffic instead of dropping traffic. This
can lead to denials of services or other unintended conditions.

Affected releases are Juniper Networks Junos OS:

    14.1X53 versions prior to 14.1X53-D40;
    15.1X53 versions prior to 15.1X53-D55;
    15.1 versions prior to 15.1R7.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2018-0005.

Solution:

The following software releases have been updated to resolve this specific
issue: 14.1X53-D40, 15.1X53-D55, 15.1X53-D60, 16.1R1, and all subsequent
releases.

This issue is being tracked as 1105372 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
To decrease the risk of seeing the issue, increase the MAC move limit
rate on the device, or to work around the issue until a fix can be taken,
remove the MAC move limit from the devices running configuration. These
actions may introduce other possible unintended consequences to customer
environments and should be evaluated carefully on a case-by-case basis
and are not complete mitigations.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0005: Junos OS: MAC move limit configured to drop traffic
    may forward traffic.

CVSS Score:
7.4 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos: bbe-smgd process denial of service while
processing VLAN authentication requests/rejects (CVE-2018-0006)

Product Affected:
This issue affects Junos OS 15.1, 16.1, 16.2, 17.1, 17.2.

Problem:
A high rate of VLAN authentication attempts sent from an adjacent host on
the local broadcast domain can trigger high memory utilization by the BBE
subscriber management daemon (bbe-smgd), and lead to a denial of service
condition. The issue was caused by attempting to process an unbounded
number of pending VLAN authentication requests, leading to excessive
memory allocation.

This issue only affects devices configured for DHCPv4/v6 over AE auto-sensed
VLANs, utilized in Broadband Edge (BBE) deployments. Other configurations
are unaffected by this issue.

Affected releases are Juniper Networks Junos OS:

    15.1 versions prior to 15.1R6-S2, 15.1R7;
    16.1 versions prior to 16.1R5-S1, 16.1R6;
    16.2 versions prior to 16.2R2-S2, 16.2R3;
    17.1 versions prior to 17.1R2-S5, 17.1R3;
    17.2 versions prior to 17.2R2.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0006.

Solution:
The following software releases have been updated to resolve this specific
issue: 15.1R6-S2, 15.1R7, 16.1R5-S1, 16.1R6, 16.2R2-S2, 16.2R3, 17.1R2-S5*,
17.1R3*, 17.2R2, 17.3R1, 17.4R1, and all subsequent releases.
*pending release

This issue is being tracked as PRs 1284213 and 1268129 which are visible
on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Since this issue is specific to auto-sense or dynamic VLANs, utilizing a
static VLAN model will mitigate this issue.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:

2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0006: Junos OS: bbe-smgd process denial of service while
    processing VLAN authentication requests/rejects

CVSS Score:
6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
2018-01 Security Bulletin: Junos: commit script may allow unauthenticated
root login upon reboot (CVE-2018-0008)

Product Affected:
This issue affects all products and platforms running Junos OS 12.1X46,
12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1.

Problem:

An unauthenticated root login may allow upon reboot when a commit script
is used. A commit script allows a device administrator to execute certain
instructions during commit, which is configured under the [system scripts
commit] stanza. Certain commit scripts that work without a problem during
normal commit may cause unexpected behavior upon reboot which can leave
the system in a state where root CLI login is allowed without a password
due to the system reverting to a "safe mode" authentication state. Lastly,
only logging in physically to the console port as root, with no password,
will work.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D71 on SRX;
    12.3X48 versions prior to 12.3X48-D55 on SRX;
    14.1 versions prior to 14.1R9;
    14.1X53 versions prior to 14.1X53-D40 on QFX, EX;
    14.2 versions prior to 14.2R7-S9, 14.2R8;
    15.1 versions prior to 15.1F5-S7, 15.1F6-S8, 15.1R5-S6, 15.1R6;
    15.1X49 versions prior to 15.1X49-D110 on SRX;
    15.1X53 versions prior to 15.1X53-D232 on QFX5200/5110;
    15.1X53 versions prior to 15.1X53-D49, 15.1X53-D470 on NFX;
    15.1X53 versions prior to 15.1X53-D65 on QFX10K;
    16.1 versions prior to 16.1R2.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0008.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D71, 12.3X48-D55, 14.1R9, 14.1X53-D40, 14.2R7-S9, 14.2R8,
15.1F5-S7, 15.1F6-S8, 15.1R5-S6, 15.1R6, 15.1X49-D110, 15.1X53-D49,
15.1X53-D470, 15.1X53-D232, 15.1X53-D65, 16.1R2, 16.2R1 and all subsequent
releases.

This issue is being tracked as 1179601 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
While there is no published workaround exists for this issue, customer can
verify whether their commit script contains the affected configuration by
rebooting the device. Please contact JTAC if after the reboot the device
enters a state where root CLI login is allowed without a password.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0008: Junos OS: commit script may allow unauthenticated root
    login upon reboot

CVSS Score:
6.2 (CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------
SRX Series: Firewall bypass vulnerability when UUID with leading zeros is
configured. (CVE-2018-0009)

Product Affected:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms:
SRX series.

Problem:
On Juniper Networks SRX series devices, firewall rules configured to
match custom application UUIDs starting with zeros can match all TCP
traffic. Due to this issue, traffic that should have been blocked by other
rules is permitted to flow through the device resulting in a firewall
bypass condition.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D71 on SRX series;
    12.3X48 versions prior to 12.3X48-D55 on SRX series;
    15.1X49 versions prior to 15.1X49-D100 on SRX series.

This issue is only applicable to SRX series devices with a configuration
containing UUIDs that start with one or more zeros.

For example:
set applications application <application-name> uuid
01234567-1234-1234-1234-123456789abc

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0009.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D71, 12.3X48-D55, 15.1X49-D100, 17.3R1, and all subsequent
releases.

This issue is being tracked as 1261522 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Do not use UUIDs starting with zeros in the configuration.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2018-0009: SRX Series: Firewall bypass vulnerability when UUID
    with leading zeros is configured.

CVSS Score:
5.4 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------------------------------------------------------------

2018-01 Security Bulletin: Junos OS: OpenSSH Memory exhaustion due to
unregistered KEXINIT handler (CVE-2016-8858)

Product Affected:
This issue affects Junos OS 12.3X48, 15.1, 15.1X49, 15.1X53, 16.1, 16.2.

Problem:

Remote network based attackers can cause the OpenSSH server on Junos OS
to allocate an excessive amount of memory. This can potentially create a
denial of service condition for the device.

The issue only occurs if SSH is enabled. An attacker must be able to first
establish a connection to the SSH service on the device.

This vulnerability can not be triggered from hosts or networks that can
not reach the SSH port on the device.

Affected releases are Juniper Networks Junos OS:

    12.3X48 versions 12.3X48-D55 and above but prior to 12.3X48-D65;
    15.1R5-S4, 15.1R5-S5;
    15.1R6;
    15.1X49 versions 15.1X49-D100 and above, but prior to 15.1X49-D121;
    15.1X53-D57;
    16.1 versions prior to 16.1R4-S6, 16.1R5;
    16.2 versions prior to 16.2R2.

The issue only affects devices where SSH is enabled.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2016-8858.

Solution:

The following software releases have been updated to resolve this specific
issue: 12.3X48-D65, 15.1R5-S6, 15.1R7, 15.1X49-D121, 16.1R4-S6, 16.1R5,
16.2R2, 17.1R1, 17.2R1, and all subsequent releases.

This issue is being tracked as 1228873 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:
Use access lists or firewall filters to limit access to the device, so
that it can only be accessed from trusted hosts. Restrict access to only
highly trusted administrators.

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:
2018-01-10: Initial publication

Related Links:
    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2016-8858: OpenSSH Memory exhaustion due to unregistered KEXINIT
    handler

CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWlbkZ4x+lLeg9Ub1AQiYcxAAoBGtQhwnp87kUQPOPxMA0AZj9C8i/7wR
4BzZNul1hYKrCID8gMdtFJ0l+OrcrpYRVcGeSHnlnuN1Q79NscJmiltuo+Ldt5di
bTjb3gZ6zkmOXYdE/zsf4chp4fc9Lo02Ric02HHwsnO2OuIDpp+3Sw5P9I1mOOWD
Eu9Jg1ExOn7mTDysOp/hVo86TxO1+LgSuWj+MJeIslKIuBDXeq1JGOXuqfaNZr2r
eyqmI4pCvlYzS9a8b82598GaJvaeG0Xo+ey/OSxggVtV1MPU3bmRpZ3uUeMHv2i9
gr2MjhJHEgxOy9akv6MHJ7/SyS7Wa+dK6adinw7J3ol+WSFXM7uXB4s1pMpNk7db
WxIZm1KoZShBC8Veoq+SljFpp/jhxkm9/rjDErnjv9dpOGgF/pLmAqK9xPxaXuqT
6fi034HeOnzM1BLglzMhSorGDrg9v6ltdiH6frN1nlzmaSaltZ9oYGuSe00d65dG
c8VUcfGy77kJPMnYsNmTAUqfwgZ94aZ0FMpCwSh55Z7Y+nvgvTQIN8PBi0hJ56J+
zDEAWgPzoFkrHFzjaOUfsRUhZXn5dyZF9k2lmFfxmfg9sWi47zHJvkxyQejuGlN7
JTOn1AoNRxHRwYrkBlpJjxuIkkyotvDPD5lbd0o/F325oVIuLv/ByC/IsjNxGWCY
0nJ1m7/9yvI=
=fwsw
-----END PGP SIGNATURE-----

« Back to bulletins