ESB-2018.2014 - [Juniper] Junos OS: Multiple vulnerabilities 2018-07-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2014
               Multiple vulnerabilities patched in Junos OS
                               12 July 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Increased Privileges     -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0034 CVE-2018-0032 CVE-2018-0031
                   CVE-2018-0030 CVE-2018-0029 CVE-2018-0027
                   CVE-2018-0026 CVE-2018-0025 CVE-2018-0024
                   CVE-2015-7236  

Reference:         ASB-2016.0043
                   ESB-2018.0154
                   ESB-2015.2479

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10857
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10858
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10859
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10860
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10861
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10863
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10864
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10865
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10866
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10868

Comment: This bulletin contains ten (10) Juniper security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-07 Security Bulletin: Junos OS: A privilege escalation vulnerability exists
where authenticated users with shell access can become root (CVE-2018-0024)

[JSA10857]

PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1X49. Affected
platforms: EX Series, QFX3500, QFX3600, QFX5100, SRX Series.
PROBLEM:
An Improper Privilege Management vulnerability in a shell session of Juniper
Networks Junos OS allows an authenticated unprivileged attacker to gain full
control of the system.

Affected releases are Juniper Networks Junos OS:
12.1X46 versions prior to 12.1X46-D45 on SRX Series;
12.3X48 versions prior to 12.3X48-D20 on SRX Series;
12.3 versions prior to 12.3R11 on EX Series;
14.1X53 versions prior to 14.1X53-D30 on EX2200/VC, EX3200, EX3300/VC, EX4200,
EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
15.1X49 versions prior to 15.1X49-D20 on SRX Series.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was found during internal product security testing or research.
This issue has been assigned CVE-2018-0024.

SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X46-D45, 12.3X48-D20, 12.3R11, 14.1X53-D30, 15.1X49-D20 and
all subsequent releases.
This issue is being tracked as PR 1004217 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

WORKAROUND:
Disallow unprivileged authenticated users access to Junos shell.
Limit shell access to only trusted administrators.

IMPLEMENTATION:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0024 Junos OS: A privilege escalation vulnerability exists where
authenticated users with shell access can become root
CVSS SCORE: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL: High

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: SRX Series: Credentials exposed when using
HTTP and HTTPS Firewall Pass-through User Authentication (CVE-2018-0025)

[JSA10858]

PRODUCT AFFECTED:
Junos OS

PROBLEM:
When an SRX Series device is configured to use HTTP/HTTPS pass-through
authentication services, a client sending authentication credentials in the
initial HTTP/HTTPS session is at risk that these credentials may be captured
during follow-on HTTP/HTTPS requests by a malicious actor through a
man-in-the-middle attack or by authentic servers subverted by malicious actors.

FTP, and Telnet pass-through authentication services are not affected.

Affected releases are Juniper Networks SRX Series:
12.1X46 versions prior to 12.1X46-D67 on SRX Series;
12.3X48 versions prior to 12.3X48-D25 on SRX Series;
15.1X49 versions prior to 15.1X49-D35 on SRX Series.
For further information on configuration stanza please refer to the URLs below.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0025.

SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS:12.1X46-D67, 12.3X48-D25, 15.1X49-D35, 17.3R1 all subsequent
releases.
This issue is being tracked as PR 1122278 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

WORKAROUND:
1. Discontinue use of HTTP/HTTPS Pass-through Firewall User Authentication
2. Use web-redirect when using Pass-through Firewall User Authentication

Example: 
set security policies from-zone * to-zone * policy * then permit
firewall-authentication pass-through web-redirect
For additional configuration guidance, customers should contact JTAC Support.

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0025 Junos OS: SRX Series: Credentials exposed when using HTTP and
HTTPS Firewall Pass-through User Authentication (CVE-2018-0025)
Understanding Pass-Through Authentication
Example: Configuring Pass-Through Authentication
Example: Configuring HTTPS Traffic to Trigger Pass-Through Authentication
CVSS SCORE: 6.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N)
RISK LEVEL: Medium

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: Stateless IP firewall filter rules stop
working as expected after reboot or upgrade (CVE-2018-0026)

[JSA10859]

PRODUCT AFFECTED:
This issue affects Junos OS 15.1, 15.1X8.
PROBLEM:
After Junos OS device reboot or upgrade, the stateless firewall filter
configuration may not take effect.

This issue can be verified by running the command:
  user@re0> show interfaces <interface_name> extensive | match filters"
      CAM destination filters: 0, CAM source filters: 0

Note: when the issue occurs, it does not show the applied firewall filter.

The correct output should show the applied firewall filter, for example:
  user@re0> show interfaces <interface_name> extensive | match filters"
      CAM destination filters: 0, CAM source filters: 0
        Input Filters: FIREWAL_FILTER_NAME-<interface_name>

This issue affects firewall filters for every address family.

Affected releases are Juniper Networks Junos OS:
15.1R4, 15.1R5, 15.1R6 and SRs based on these MRs.
15.1X8 versions prior to 15.1X8.3.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0026.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 15.1R7, 15.1X8.3 and all subsequent releases.

This issue is being tracked as PR 1161832 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

WORKAROUND:
There are no known workarounds for this issue.

However, once the issue has occurred, it can be restored by performing "commit
full" (note: "commit full" is a potentially disruptive command).

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0026: Junos OS: Stateless IP firewall filter rules stop working as
expected after reboot or upgrade
CVSS SCORE: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N)
RISK LEVEL: Medium

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: FreeBSD-SA-15:24.rpcbind : rpcbind(8)
remote denial of service

[JSA10860]

PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49,
15.1X53, 15.1X54, 16.1.

PROBLEM:
A use-after-free vulnerability exists in rpcbind of Juniper Networks Junos OS
allows an attacker to cause a Denial of Service against rpcbind.

Affected releases are Juniper Networks Junos OS:
12.1X46 versions prior to 12.1X46-D67 on SRX Series;
12.3R12 versions prior to 12.3R12-S10 on EX Series;
12.3X48 versions prior to 12.3X48-D55 on SRX Series;
14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200,
EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
14.1X53 versions prior to 14.1X53-D130 on QFabric System;
15.1 versions prior to 15.1F5-S5, 15.1F6-S1, 15.1F7, 15.1R4-S5, 15.1R5;
15.1X49 versions prior to 15.1X49-D110 on SRX Series;
15.1X53 versions prior to 15.1X53-D47, 15.1X53-D470 on NFX150, NFX250;
15.1X53 versions prior to 15.1X53-D233 on QFX5110, QFX5200;
15.1X53 versions prior to 15.1X53-D60 on QFX10000 Series;
15.1X53 versions prior to 15.1X53-D59 on EX2300, EX3400;
15.1X54 versions prior to 15.1X54-D67 on ACX Series;
16.1 versions prior to 16.1R2.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was discovered during an external security research.
This issue has been assigned CVE-2015-7236.

SOLUTION:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D67, 12.3R12-S10, 12.3X48-D55, 14.1X53-D47, 14.1X53-D130*,
15.1F5-S5, 15.1F6-S1, 15.1F7, 15.1R4-S5, 15.1R5, 15.1X49-D110, 15.1X53-D47,
15.1X53-D59, 15.1X53-D60, 15.1X53-D233, 15.1X53-D470, 16.1R2, 16.2R1 and all
subsequent releases.
*Pending Publication

This issue is being tracked as PR 1188676 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

WORKAROUND:
Disable rpcbind services where not needed.*
To further reduce the risk of exploitation customer may:
Enable loopback firewall filters on the device to drop rpcbind from untrusted
networks. 
Filter out rpcbind traffic from reaching the device by using off-system services
and devices.
There are no other viable workarounds for this issue.
*Customers are advised to proceed with caution when disabling rpcbind.
Customers intending to disable rpcbind should contact JTAC for supporting
configuration guidance to determine if this workaround option is possible.
Disabling rpcbind without review may cause a disruption to service.
 

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2015-7236 Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c
in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of
service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
CVSS SCORE: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
RISK LEVEL: Medium

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: Receipt of malformed RSVP packet may lead
to RPD denial of service (CVE-2018-0027)

[JSA10861]

PRODUCT AFFECTED:
This issue affects Junos OS 16.1
PROBLEM:
Receipt of a crafted or malformed RSVP PATH message may cause the routing
protocol daemon (RPD) to hang or crash. When RPD is unavailable, routing updates
cannot be processed which can lead to an extended network outage.

If RSVP is not enabled on an interface, then the issue cannot be triggered via
that interface.

This issue only affects Juniper Networks Junos OS 16.1 versions prior to 16.1R3.

This issue does not affect Junos releases prior to 16.1R1.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2018-0027.

SOLUTION:
The following software releases have been updated to resolve this specific
issue: 16.1R3, 16.2R1, and all subsequent releases.

This issue is being tracked as PR 1214350 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL).

WORKAROUND:
Only enable RSVP on specific trusted interfaces as required for MPLS.

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0027:Junos OS: Receipt of malformed RSVP packet may lead to RPD
denial of service
CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
RISK LEVEL: High

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: Kernel crash (vmcore) during broadcast
storm after enabling 'monitor traffic interface fxp0' (CVE-2018-0029)

[JSA10863]

PRODUCT AFFECTED:
This issue affects Junos OS 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2,
17.2X75, 17.3, 17.4.

PROBLEM: While experiencing a broadcast storm, placing the fxp0 interface into
promiscuous mode via the 'monitor traffic interface fxp0' can cause the system
to crash and restart (vmcore).

This issue only affects Junos OS 15.1 and later releases, and affects both
single core and multi-core REs. Releases prior to Junos OS 15.1 are unaffected
by this vulnerability

Affected releases are Juniper Networks Junos OS:
15.1 versions prior to 15.1F6-S11, 15.1R4-S9, 15.1R6-S6, 15.1R7;
15.1X49 versions prior to 15.1X49-D140;
15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400;
15.1X53 versions prior to 15.1X53-D67 on QFX10K;
15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110;
15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX;
16.1 versions prior to 16.1R3-S8, 16.1R5-S4, 16.1R6-S1, 16.1R7;
16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3;
17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
17.2X75 versions prior to 17.2X75-D90, 17.2X75-D110;
17.3 versions prior to 17.3R1-S4, 17.3R2;
17.4 versions prior to 17.4R1-S3, 17.4R2.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.

This issue has been assigned CVE-2018-0029.
 
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 15.1F6-S11*, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233,
15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R5-S4,
16.1R6-S1, 16.1R7, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3,
17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D90, 17.3R1-S4, 17.3R2,
17.4R1-S3, 17.4R2, 18.1R1, 18.1X75-D10, and all subsequent releases.
*Future availability

This issue is being tracked as PR 1322294 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL).
 
WORKAROUND:
Avoid executing the 'monitor traffic interface fxp0' command while attempting
to troubleshoot broadcast storms.

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/
 
MODIFICATION HISTORY:
2018-07-11: Initial Publication

CVE-2018-0029: Kernel crash (vmcore) during broadcast storm after enabling
'monitor traffic interface fxp0'
CVSS SCORE: 5.7 (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
RISK LEVEL: Medium

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1,
FPC-P2) and PTX1K: Line card may crash upon receipt of specific MPLS packet
(CVE-2018-0030)

[JSA10864]

PRODUCT AFFECTED:
This issue affects Junos OS platforms with MPC7/8/9 or PTX-FPC3 (FPC-P1,
FPC-P2) installed and PTX1K 15.1, 15.1F, 16.1, 16.1X65, 16.2, 17.1, 17.2,
17.2X75, 17.3, 17.4.

PROBLEM:
Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1,
FPC-P2) line cards or PTX1K to crash and restart.
By continuously sending specific MPLS packets, an attacker can repeatedly
crash the line cards or PTX1K causing a sustained Denial of Service.
Affected releases are Juniper Networks Junos OS with MPC7/8/9 or PTX-FPC3
(FPC-P1, FPC-P2) installed and PTX1K:
15.1F versions prior to 15.1F6-S10;
15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7;
16.1X65 versions prior to 16.1X65-D46;
16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3;
17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S4, 17.2R2-S4, 17.2R3;
17.2X75 versions prior to 17.2X75-D70, 17.2X75-D90;
17.3 versions prior to 17.3R1-S4, 17.3R2,
17.4 versions prior to 17.4R1-S2, 17.4R2.
Refer to KB25385 for more information about PFE line cards.
This issue only affects device with MPLS configured.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0030.

SOLUTION:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D77, 12.3X48-D70, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9,
15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D471, 15.1X53-D59, 15.1X53-D67,
16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.1X65-D46, 16.2R1-S6,
16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S4, 17.2R2-S4, 17.2R3,
17.2X75-D70, 17.3R1-S4, 17.3R2, 17.4R1-S2, 17.4R2, 18.1R1, 18.1X75-D10 and all
subsequent releases.
This fix has been proactively committed into other releases that might not
support these specific line card.
This issue is being tracked as PR 1323069 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL).

WORKAROUND:
No available workaround exists for this issue.

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0030: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) and
PTX1K: Line card may crash upon receipt of specific MPLS packet
A mapping between chipset type and PFE module
CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
RISK LEVEL: High

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: Receipt of specially crafted UDP packets
over MPLS may bypass stateless IP firewall rules (CVE-2018-0031)

[JSA10865]

PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49,
15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.1, 18.2X75.
PROBLEM:
Receipt of specially crafted UDP/IP packets over MPLS may be able to bypass a
stateless firewall filter. The crafted UDP packets must be encapsulated and
meet a very specific packet format to be classified in a way that bypasses IP
firewall filter rules. The packets themselves do not cause a service
interruption (e.g. RPD crash), but receipt of a high rate of UDP packets may
be able to contribute to a denial of service attack.

This issue only affects processing of transit UDP/IP packets over MPLS,
received on an interface with MPLS enabled. TCP packet processing and non-MPLS
encapsulated UDP packet processing are unaffected by this issue.

Affected releases are Juniper Networks Junos OS:
12.1X46 versions prior to 12.1X46-D76;
12.3 versions prior to 12.3R12-S10;
12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70;
14.1X53 versions prior to 14.1X53-D47;
15.1 versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7;
15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140;
15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400;
15.1X53 versions prior to 15.1X53-D67 on QFX10K;
15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110;
15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX;
16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7;
16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3;
17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
17.2X75 versions prior to 17.2X75-D100, 17.2X75-D110;
17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3;
17.4 versions prior to 17.4R1-S3, 17.4R2;
18.1 versions prior to 18.1R2;
18.2X75 versions prior to 18.2X75-D5.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0031.
 
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D76, 12.3X48-D66, 12.3X48-D70, 14.1X53-D47, 15.1F6-S10,
15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131, 15.1X49-D140, 15.1X53-D233,
15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S9,
16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7,
17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D100, 17.2X75-D110,
17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5,
and all subsequent releases.

This issue is being tracked as PR 1326402 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL)
 
WORKAROUND:
There are no viable workarounds for this issue.
 
IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/
 
MODIFICATION HISTORY:
2018-07-11: Initial Publication

CVE-2018-0031: Receipt of specially crafted UDP packets over MPLS may bypass
stateless IP firewall rules
CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
RISK LEVEL: Medium

ACKNOWLEDGEMENTS:
The Juniper SIRT would like to would like to acknowledge and thank Internet2
and The Indiana University GlobalNOC for responsibly disclosing this
vulnerability.

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: RPD crash when receiving a crafted BGP
UPDATE (CVE-2018-0032)

[JSA10866]

PRODUCT AFFECTED:
This issue affects Junos OS 16.1X65, 17.2X75, 17.3, 17.4
PROBLEM:
The receipt of a crafted BGP UPDATE can lead to a routing process daemon (RPD)
crash and restart. Repeated receipt of the same crafted BGP UPDATE can result
in an extended denial of service condition for the device.

This issue only affects the specific versions of Junos OS listed within this
advisory. Earlier releases are unaffected by this vulnerability.

This crafted BGP UPDATE does not propagate to other BGP peers.

Affected releases are Juniper Networks Junos OS:
16.1X65 versions prior to 16.1X65-D47;
17.2X75 versions prior to 17.2X75-D91, 17.2X75-D110;
17.3 versions prior to 17.3R1-S4, 17.3R2;
17.4 versions prior to 17.4R1-S3, 17.4R2.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was found during internal product security testing or research.

This issue has been assigned CVE-2018-0032.
 
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 16.1X65-D47, 17.2X75-D110, 17.2X75-D91, 17.3R1-S4, 17.3R2, 17.4R1-S3,
17.4R2, 18.1R1, 18.2R1, 18.2X75-D5, and all subsequent releases.

This issue is being tracked as PR 1327708 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL).
 
WORKAROUND:
There are no known workarounds for this issue.
 
IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/
 
MODIFICATION HISTORY:
2018-07-11: Initial Publication

CVE-2018-0032: RPD crash when receiving a crafted BGP UPDATE
CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
RISK LEVEL: High

- --------------------------------------------------------------------------------

2018-07 Security Bulletin: Junos OS: A malicious crafted IPv6 DHCP packet may
cause the JDHCPD daemon to core (CVE-2018-0034)

[JSA10868]

PRODUCT AFFECTED:
This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53,
16.1, 16.2, 17.1, 17.2, 17.3, 17.4.

PROBLEM:
A Denial of Service vulnerability exists in the Juniper Networks Junos OS
JDHCPD daemon which allows an attacker to core the JDHCPD daemon by sending a
crafted IPv6 packet to the system.
This issue is limited to systems which receives IPv6 DHCP packets on a system
configured for DHCP processing using the JDHCPD daemon.
This issue does not affect IPv4 DHCP packet processing.

Affected releases are Juniper Networks Junos OS:
12.3 versions prior to 12.3R12-S10 on EX Series;
12.3X48 versions prior to 12.3X48-D70 on SRX Series;
14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200,
EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100;
14.1X53 versions prior to 14.1X53-D130 on QFabric;
15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
15.1X49 versions prior to 15.1X49-D140 on SRX Series;
15.1X53 versions prior to 15.1X53-D67 on QFX10000 Series;
15.1X53 versions prior to 15.1X53-D233 on QFX5110, QFX5200;
15.1X53 versions prior to 15.1X53-D471 on NFX 150, NFX 250;
16.1 versions prior to 16.1R3-S9, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7;
16.2 versions prior to 16.2R2-S5, 16.2R3;
17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3;
17.4 versions prior to 17.4R1-S3, 17.4R2.

For applicable CLI configuration assistance on your device please refer to the
KB and Feature Explorer in the URL section further in this advisory.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0034.

 

SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.3R12-S10, 12.3X48-D70, 14.1X53-D130*, 14.1X53-D47,
15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471,
15.1X53-D67, 16.1R3-S9, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R2-S5,
16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.3R1-S4,
17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, and all subsequent releases.
*Pending Publication
This issue is being tracked as PR 1334230 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End
of Engineering (EOE) or End of Life (EOL).

WORKAROUND:
There are no viable workarounds for this issue.

IMPLEMENTATION:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

MODIFICATION HISTORY:
2018-07-11: Initial Publication.

CVE-2018-0034: Junos OS: A malicious crafted IPv6 DHCP packet may cause the
JDHCPD daemon to core (CVE-2018-0034)
CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
RISK LEVEL: Medium

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW0aikWaOgq3Tt24GAQisHg/7BS0dT4BPXrx4BJOsDlMh7D7548peUJ2W
dtvNVIh9gT6ghdryQNKw5d8Hm12wONNPrq7RxvdLS+k5fase9kVbaULK6PW6906u
KoZ+6wp4oRFoDQ5wUucVTeUj4do6MC12G1KfrZLSMQw6QsZHVzP+G9E6Jl+vWbFT
Q7AazDhBLp8XUI0i89QAm/ed0TZuBWf049qURJGrWMCIS/wEQbuO5ENpWv06SJvw
iFvIkBeFN+uLjSLfvyha2gZ3Tm3Qo7HUYlQay7QcthcaleBInHmhPR6YGjhMaELv
Tdh0bFM5xBnkob9gRsDcG2JoWLIA4Zts93U0Xj/rm4elPlWBSgbkZVNM9QfZxNOm
c7j97wsa+cDXiKFNJM8Abj6uuHv7mvxhR7C8vi2OClpGw+UcnZ4O3Tb5QnYrElbG
vqRVf/9rAe1vlwEIzAXrUeA8y40PykpwpZomp3efQcXrhsCuowMct/iKtpYiIhEL
cgp2p//2GfhDRwQ9tX2YkGQ5Zx7uivFew8blMBdJi7hou3USGxdC7vzPK1aY9gbR
g7ZrmKMJgnm/l2KZwkMUN7ewDDj3P7KojcGVJvjLlRdmzcCOPY9GCFsgjuHIA6IX
ygnU0QeYXYRlVm9gk6VNZmf58dnJzCAkhDR1oGCW66GbuO3AZBCEtdVX7/p6w+L4
fFqeaPMxZ5A=
=LahS
-----END PGP SIGNATURE-----

« Back to bulletins