ESB-2018.1132 - [Juniper] Network Security Manager Appliance: Multiple vulnerabilities 2018-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1132
        NSM Appliance: Multiple vulnerabilities resolved in CentOS
                        6.5-based 2012.2R12 release
                               12 April 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Network Security Manager Appliance
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise     -- Existing Account      
                   Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-5829 CVE-2016-5696 CVE-2016-4565
                   CVE-2016-4470 CVE-2016-2550 CVE-2016-2143
                   CVE-2016-1583 CVE-2016-0774 CVE-2015-8767
                   CVE-2015-8543 CVE-2015-8324 CVE-2015-8104
                   CVE-2015-7872 CVE-2015-7613 CVE-2015-7550
                   CVE-2015-5307 CVE-2015-5157 CVE-2015-5156
                   CVE-2015-2925 CVE-2015-1805 CVE-2014-8134
                   CVE-2014-7842 CVE-2013-4312 CVE-2010-5313

Reference:         ASB-2016.0093
                   ASB-2016.0034
                   ASB-2016.0017
                   ESB-2015.1572
                   ESB-2015.1497
                   ESB-2015.1440

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10853

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-04 Security Bulletin: NSM Appliance: Multiple vulnerabilities resolved in
CentOS 6.5-based 2012.2R12 release


CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level: High
Risk Assessment: Information for how Juniper Networks uses CVSS can be found at
KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."


Product Affected:

This issue affects Network and Security Manager Appliance 2012.2.


Problem:

Multiple vulnerabilities potentially affect NSMs OS have been resolved in the
CentOS 6.5-based 2012.2R12 release.

Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.

Important security issues resolved as a result of these upgrades include:

     CVE         CVSS                            Summary
              7.2 (AV:L/  arch/x86/entry/entry_64.S in the Linux kernel before
              AC:L/Au:N/  4.1.6 on the x86_64 platform mishandles IRET faults
CVE-2015-5157 C:C/I:C/    in processing NMIs that occurred during userspace
              A:C)        execution, which might allow local users to gain
                          privileges by triggering an NMI.
              7.8 (       The ecryptfs_privileged_open function in fs/ecryptfs/
              CVSS:3.0/   kthread.c in the Linux kernel before 4.6.3 allows
CVE-2016-1583 AV:L/AC:L/  local users to gain privileges or cause a denial of
              PR:L/UI:N/  service (stack memory consumption) via vectors
              S:U/C:H/I:H involving crafted mmap calls for /proc pathnames,
              /A:H)       leading to recursive pagefault handling.
              7.8 (       The InfiniBand (aka IB) stack in the Linux kernel
              CVSS:3.0/   before 4.5.3 incorrectly relies on the write system
CVE-2016-4565 AV:L/AC:L/  call, which allows local users to cause a denial of
              PR:L/UI:N/  service (kernel memory write operation) or possibly
              S:U/C:H/I:H have unspecified other impact via a uAPI interface.
              /A:H)
              7.8 (       Multiple heap-based buffer overflows in the
              CVSS:3.0/   hiddev_ioctl_usage function in drivers/hid/usbhid/
CVE-2016-5829 AV:L/AC:L/  hiddev.c in the Linux kernel through 4.6.3 allow
              PR:L/UI:N/  local users to cause a denial of service or possibly
              S:U/C:H/I:H have unspecified other impact via a crafted (1)
              /A:H)       HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call.
                          The prepend_path function in fs/dcache.c in the Linux
              6.9 (AV:L/  kernel before 4.2.4 does not properly handle rename
CVE-2015-2925 AC:M/Au:N/  actions inside a bind mount, which allows local users
              C:C/I:C/    to bypass an intended container protection mechanism
              A:C)        by renaming a directory, related to a "double-chroot
                          attack."
                          Race condition in the IPC object implementation in
              6.9 (AV:L/  the Linux kernel through 4.2.3 allows local users to
CVE-2015-7613 AC:M/Au:N/  gain privileges by triggering an ipc_addid call that
              C:C/I:C/    leads to uid and gid comparisons against
              A:C)        uninitialized data, related to msg.c, shm.c, and
                          util.c.
                          The networking implementation in the Linux kernel
              7.0 (       through 4.3.3, as used in Android and other products,
              CVSS:3.0/   does not validate protocol identifiers for certain
CVE-2015-8543 AV:L/AC:H/  protocol families, which allows local users to cause
              PR:L/UI:N/  a denial of service (NULL function pointer
              S:U/C:H/I:H dereference and system crash) or possibly gain
              /A:H)       privileges by leveraging CLONE_NEWUSER support to
                          execute a crafted SOCK_RAW application.
              7.8 (       The fork implementation in the Linux kernel before
              CVSS:3.0/   4.5 on s390 platforms mishandles the case of four
              AV:L/AC:L/  page-table levels, which allows local users to cause
CVE-2016-2143 PR:N/UI:R/  a denial of service (system crash) or possibly have
              S:U/C:H/I:H unspecified other impact via a crafted application,
              /A:H)       related to arch/s390/include/asm/mmu_context.h and
                          arch/s390/include/asm/pgalloc.h.
                          The virtnet_probe function in drivers/net/
              6.1 (AV:A/  virtio_net.c in the Linux kernel before 4.2 attempts
              AC:L/Au:N/  to support a FRAGLIST feature without proper memory
CVE-2015-5156 C:N/I:N/    allocation, which allows guest OS users to cause a
              A:C)        denial of service (buffer overflow and memory
                          corruption) via a crafted sequence of fragmented
                          packets.
              4.8 (
              CVSS:3.0/   net/ipv4/tcp_input.c in the Linux kernel before 4.7
CVE-2016-5696 AV:N/AC:H/  does not properly determine the rate of challenge ACK
              PR:N/UI:N/  segments, which makes it easier for remote attackers
              S:U/C:N/I:L to hijack TCP sessions via a blind in-window attack.
              /A:L)
                          The (1) pipe_read and (2) pipe_write implementations
                          in fs/pipe.c in a certain Linux kernel backport in
                          the linux package before 3.2.73-2+deb7u3 on Debian
              6.8 (       wheezy and the kernel package before 3.10.0-229.26.2
              CVSS:3.0/   on Red Hat Enterprise Linux (RHEL) 7.1 do not
CVE-2016-0774 AV:L/AC:L/  properly consider the side effects of failed
              PR:N/UI:N/  __copy_to_user_inatomic and __copy_from_user_inatomic
              S:U/C:L/I:N calls, which allows local users to cause a denial of
              /A:H)       service (system crash) or possibly gain privileges
                          via a crafted application, aka an "I/O vector array
                          overrun." NOTE: this vulnerability exists because of
                          an incorrect fix for CVE-2015-1805.
              7.5 (       net/sctp/sm_sideeffect.c in the Linux kernel before
              CVSS:3.0/   4.3 does not properly manage the relationship between
CVE-2015-8767 AV:N/AC:L/  a lock and a socket, which allows local users to
              PR:N/UI:N/  cause a denial of service (deadlock) via a crafted
              S:U/C:N/I:N sctp_accept call.
              /A:H)
              4.9 (AV:L/  Race condition in arch/x86/kvm/x86.c in the Linux
              AC:L/Au:N/  kernel before 2.6.38 allows L2 guest OS users to
CVE-2010-5313 C:N/I:N/    cause a denial of service (L1 guest OS crash) via a
              A:C)        crafted instruction that triggers an L2 emulation
                          failure report, a similar issue to CVE-2014-7842.
              4.9 (AV:L/  The KVM subsystem in the Linux kernel through 4.2.6,
              AC:L/Au:N/  and Xen 4.3.x through 4.6.x, allows guest OS users to
CVE-2015-5307 C:N/I:N/    cause a denial of service (host OS panic or hang) by
              A:C)        triggering many #AC (aka Alignment Check) exceptions,
                          related to svm.c and vmx.c.
                          The keyctl_read_key function in security/keys/
              5.5 (       keyctl.c in the Linux kernel before 4.3.4 does not
              CVSS:3.0/   properly use a semaphore, which allows local users to
CVE-2015-7550 AV:L/AC:L/  cause a denial of service (NULL pointer dereference
              PR:L/UI:N/  and system crash) or possibly have unspecified other
              S:U/C:N/I:N impact via a crafted application that leverages a
              /A:H)       race condition between keyctl_revoke and keyctl_read
                          calls.
              4.6 (       The ext4 implementation in the Linux kernel before
              CVSS:3.0/   2.6.34 does not properly track the initialization of
CVE-2015-8324 AV:P/AC:L/  certain data structures, which allows physically
              PR:N/UI:N/  proximate attackers to cause a denial of service
              S:U/C:N/I:N (NULL pointer dereference and panic) via a crafted
              /A:H)       USB device, related to the ext4_fill_super function.
              5.5 (       The Linux kernel before 4.5 allows local users to
              CVSS:3.0/   bypass file-descriptor limits and cause a denial of
              AV:L/AC:L/  service (memory consumption) by leveraging incorrect
CVE-2016-2550 PR:L/UI:N/  tracking of descriptor ownership and sending each
              S:U/C:N/I:N descriptor over a UNIX socket before closing it.
              /A:H)       NOTE: this vulnerability exists because of an
                          incorrect fix for CVE-2013-4312.
              5.5 (       The key_reject_and_link function in security/keys/
              CVSS:3.0/   key.c in the Linux kernel through 4.6.3 does not
CVE-2016-4470 AV:L/AC:L/  ensure that a certain data structure is initialized,
              PR:L/UI:N/  which allows local users to cause a denial of service
              S:U/C:N/I:N (system crash) via vectors involving a crafted keyctl
              /A:H)       request2 command.
              4.7 (AV:L/  The KVM subsystem in the Linux kernel through 4.2.6,
              AC:M/Au:N/  and Xen 4.3.x through 4.6.x, allows guest OS users to
CVE-2015-8104 C:N/I:N/    cause a denial of service (host OS panic or hang) by
              A:C)        triggering many #DB (aka Debug) exceptions, related
                          to svm.c.
                          The paravirt_ops_setup function in arch/x86/kernel/
              2.1 (AV:L/  kvm.c in the Linux kernel through 3.18 uses an
CVE-2014-8134 AC:L/Au:N/  improper paravirt_enabled setting for KVM guest
              C:P/I:N/    kernels, which makes it easier for guest OS users to
              A:N)        bypass the ASLR protection mechanism via a crafted
                          application that reads a 16-bit value.
              2.1 (AV:L/  The key_gc_unused_keys function in security/keys/gc.c
CVE-2015-7872 AC:L/Au:N/  in the Linux kernel through 4.2.6 allows local users
              C:N/I:N/    to cause a denial of service (OOPS) via crafted
              A:P)        keyctl commands.


Solution:

The following software releases have been updated to resolve this specific
issue: 2012.2R12, and all subsequent releases on NSM Appliance.

CentOS 5.7 has reached End of Engineering; customers should upgrade NSM
Appliances to CentOS 6.5 to receive ongoing updates.

Customers using software-only package, supplying their own operating systems,
should apply updates on their operating systems.

This issue is being tracked as PR 1107641 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).  Workaround:

There are no viable workarounds for these issues.


Implementation:

Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.


Modification History:

    2018-04-11: Initial Publication.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWs7SRox+lLeg9Ub1AQhJow//albjFogELRq9Mcz4HvGX5EcPqzXfo6SK
2v+/OTVvjscArMM5ifca3XVKCbB0tli9hIuEPz3rSCsPcmuYPik4TWSTa+NubIL7
a7ApXfYIhYHB8cmJgZsuv1rsiFAeSJ2RiUeun5ZU4nRZACsPVnrgPD5TQHbAVpBM
39qGGcO0F39iMOw5XCjUJbaQgMARIP0c/FIAWbepGcK2vxtectEZPA0XGT3VJLhz
oDFXLk520sQ1fDL5LAyUOCrD6G4iudsSc06HYPJmNVEiYbbD65l+n2QzFgxssnRu
hlJrNOseki3Swx+r1G9mASkfKwGy1VlfcXH4HkE9uMdAa7J5wIenZuHt1+C1do6b
KM6KW4z607ZNmoW0gF9qlqxfHJ4OynysEpueIQcUbEcKzJ6JOs/6ViaWIMkEnSWj
jrOBJIPGn6tK14xibYAOq7VtoxTh6EdLaERTaXf2FTRmzXOIb3bYsQDbwPP6U1OF
aEcKvvV7yHmUxUU4NvQBSnN0VRR9mVbVnsGhaXlNaAehqomofeDxelyWijMnqLhc
lcudywXqcB5iHv6XGa636n5Efj3yBjn6HhMxpXfUW8oGcelSQPJrn/H10yDo8PCz
1v2h8LjKgN/u6KSsthF4vQrBzEuvqSG/YN1Kqkfr/VwJNZfDKyvnuLqJ8W4VtRx+
cSQmZRsJyFQ=
=CIbK
-----END PGP SIGNATURE-----

« Back to bulletins