ESB-2018.1121 - [Juniper] SRX Series Firewalls: Multiple vulnerabilities 2018-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1121
                  SRX Series Firewalls Security Bulletins
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           SRX Series Firewalls
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0018 CVE-2018-0017 

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10845
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10846

Comment: This bulletin contains two (2) Juniper Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-04 Security Bulletin: SRX Series: Denial of service vulnerability in flowd
daemon on devices configured with NAT-PT (CVE-2018-0017)


CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level: High
Risk Assessment: Information for how Juniper Networks uses CVSS can be found at
KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."


Product Affected:

This issue affects Junos OS 12.1X46, 12.3X48 and 15.1X49 on SRX Series.


Problem:

A vulnerability in the Network Address Translation - Protocol Translation
(NAT-PT) feature of Junos OS on SRX series devices may allow a certain valid
IPv6 packet to crash the flowd daemon. Repeated crashes of the flowd daemon can
result in an extended denial of service condition for the SRX device.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D72;
    12.3X48 versions prior to 12.3X48-D55;
    15.1X49 versions prior to 15.1X49-D90.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen in a production network.

This issue has been assigned CVE-2018-0017.


Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D76 (pending release), 12.3X48-D55, 15.1X49-D90, 17.3R1, and all
subsequent releases.

This issue is being tracked as 1261863 which is visible on the Customer Support
website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).


Workaround:

There are no viable workarounds for this issue.


Implementation:

Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.


Modification History:

    2018-04-11: Initial Publication.


- -------------------------------------------------------------------------------


2018-04 Security Bulletin: SRX Series: A crafted packet may lead to information
disclosure and firewall rule bypass during compilation of IDP policies.
(CVE-2018-0018)


CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N)
Risk Level: High
Risk Assessment: Information for how Juniper Networks uses CVSS can be found at
KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."


Product Affected:

This issue affects Junos OS 12.1X46, 12.3X48 and 15.1X49 on SRX series.


Problem:

On SRX Series devices during compilation of IDP policies, an attacker sending
specially crafted packets may be able to bypass firewall rules, leading to
information disclosure which an attacker may use to gain control of the target
device or other internal devices, systems or services protected by the SRX
Series device. This issue only applies to devices where IDP policies are applied
to one or more rules. Customers not using IDP policies are not affected.

Depending on if the IDP updates are automatic or not, as well as the interval
between available updates, an attacker may have more or less success in
performing reconnaissance or bypass attacks on the victim SRX Series device or
protected devices.

ScreenOS with IDP is not vulnerable to this issue.

Affected releases are Juniper Networks Junos OS:

    12.1X46 versions prior to 12.1X46-D60 on SRX;
    12.3X48 versions prior to 12.3X48-D35 on SRX;
    15.1X49 versions prior to 15.1X49-D60 on SRX.

This issue only affects SRX Series devices with IDP configured.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2018-0018.


Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D60, 12.3X48-D35, 15.1X49-D60, 17.3R1, and all subsequent
releases.

Additionally, customers should download and apply the latest sigpack for IDP
signatures.

This issue is being tracked as 1151743 which is visible on the Customer Support
website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).


Workaround:

Customers using cluster configurations may break the cluster configuration,
disable traffic on one node, update the IDP policy, reintroduce this updated
node as a standalone device, directing all traffic to it, instead of the current
standalone, and then do the same with the secondary node, and then reintroduce
cluster configuration to both devices. For this workaround to be most effective,
customers should disable automatic updates and manually download IDP signature
updates.

Alternately, cluster customers using load balancers may break cluster, run
individual side-by-side configurations, off load all traffic from one node via
load balancers to another node, then update the IDP policy manually on the idle
node, lastly, flip flop this operation, and then return to side-by-side or
cluster mode operation.

Customers unable to utilize similar design scenarios as workarounds such as the
above should instead take fixes where available.


Implementation:

Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.


Modification History:

    2018-04-11: Initial Publication.


Acknowledgements:

The Juniper SIRT would like to would like to acknowledge and thank Craig Dods,
formerly of IBM Security.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs64BYx+lLeg9Ub1AQjf1A/+MKG+o7Mx//iNRxs0/XKdRfTun3w2L0RM
unzc8Ap0z1Dbpz4udMwRVn/Whl4+XFE7rrfj+TH92XLgn+W2zndsloMXcs6emU+t
XHRnAuEnRuSnd9Bidn6dt8t3iKpbW8A0AqMqPL7xWky5MbEC1sB7urriyIfoVDmW
cqvJRrWydVGiq4eoyYp4Gj5Uzk2Gw9N0d79qk6tD9Tkw7TnyxiXDgl5HzRtgU+vL
m/LcSQlKxgwhKH7/03mSa1HqLfv3EcSa32RkPU+9oBwYa8nMXJ7CbwFT2v7qUMr4
S6sE51/Lj291Urdz6rs/97v7F67cUaljgGBfuOcW7RfGKehosRC2erpcjLaQQXxO
hw1gz69cZyHFx6FsQ3p+azP1JX9evpRaaAtTWwXmC3gHXG5gi8nQRgvTdoPuGKe1
JXBqrb6oz1o4SXdRPpEWhsdevCIDN3coZhFr4qfGSUiOcgIuUzXaMzX1aaoem6UC
qIXZEw6Pxfa8ygHzWaxmI55pTYp11cZqoZZdFwLIqi34KXBkAq7KR+mKNPVOzYt+
B4o77kcTpCs0x7+9PE2QHa0lYRy0qbEas74r0bBCNAgWh9HkptQmgyWWRHPyCcbM
v7kwKwDuPHUdTCZ0YcuXeCVzZt0TxwBU/QMLG2i2cTaVXHzxWaY0TwPmp4Twf1nO
OniVYOxFrXQ=
=V6+4
-----END PGP SIGNATURE-----

« Back to bulletins