ESB-2018.3082 - [Juniper] Junos OS: Multiple vulnerabilities 2018-10-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3082
       2018-10 Security Bulletin: Junos OS: Multiple Vulnerabilities
                              11 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise   -- Remote/Unauthenticated
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0052 CVE-2018-0051 CVE-2018-0050
                   CVE-2018-0049 CVE-2018-0048 CVE-2018-0045
                   CVE-2018-0043  

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10879
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10882
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10883
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10884
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10885
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10886

Comment: This bulletin contains seven (7) security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-10 Security Bulletin: Junos OS: RPD daemon crashes upon
receipt of specific MPLS packet (CVE-2018-0043)

[JSA10877]

Product Affected:

This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1F6, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1, 17.2,
17.2X75, 17.3, 17.4.

Problem:

Receipt of a specific MPLS packet may cause the routing protocol
daemon (RPD) process to crash and restart or may lead to remote
code execution.
By continuously sending specific MPLS packets, an attacker can
repeatedly crash the RPD process causing a sustained Denial of
Service.

This issue affects both IPv4 and IPv6.

This issue can only be exploited from within the MPLS domain.
End-users connected to the CE device cannot cause this crash.

Affected releases are Juniper Networks Junos OS:
  o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
  o 12.3 versions prior to 12.3R12-S10;
  o 12.3X48 versions prior to 12.3X48-D75 on SRX Series;
  o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series;
  o 14.1X53 versions prior to 14.1X53-D130 on QFabric Series;
  o 15.1F6 versions prior to 15.1F6-S10;
  o 15.1 versions prior to 15.1R4-S9 15.1R7;
  o 15.1X49 versions prior to 15.1X49-D140 on SRX Series;
  o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
  o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
  o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
    Series;
  o 15.1X53 versions prior to 15.1X53-D471 15.1X53-D490 on NFX
    Series;
  o 16.1 versions prior to 16.1R3-S8 16.1R4-S8 16.1R5-S4 16.1R6-S4
    16.1R7;
  o 16.1X65 versions prior to 16.1X65-D48;
  o 16.2 versions prior to 16.2R1-S6 16.2R3;
  o 17.1 versions prior to 17.1R1-S7 17.1R2-S6 17.1R3;
  o 17.2 versions prior to 17.2R1-S6 17.2R2-S3 17.2R3;
  o 17.2X75 versions prior to 17.2X75-D100 17.2X75-D42
    17.2X75-D91;
  o 17.3 versions prior to 17.3R1-S4 17.3R2-S2 17.3R3;
  o 17.4 versions prior to 17.4R1-S3 17.4R2 .

This issue may occurs when the Junos OS device is configured with:
[protocols mpls interface]

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was seen during production usage.

No other Juniper Networks products or platforms are affected by
this issue.

This issue has been assigned CVE-2018-0043.
 
Solution:

The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75,
14.1X53-D130, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9, 15.1R7,
15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490,
15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S8, 16.1R5-S4,
16.1R6-S4, 16.1R7, 16.1X65-D48, 16.2R1-S6, 16.2R2-S6, 16.2R3,
17.1R1-S7, 17.1R2-S6, 17.1R3, 17.2R1-S6, 17.2R2-S3, 17.2R3,
17.2X75-D100, 17.2X75-D42, 17.2X75-D91, 17.3R1-S4, 17.3R2-S2,
17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5 and all
subsequent releases.

This issue is being tracked as PR 1328058 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
 
Workaround:

There are no known workarounds for this issue.
 
Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2018-0043 at cve.mitre.org
  o https://kb.juniper.net/JSA10877

CVSS Score:

8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:

High

===============================================================================

2018-10 Security Bulletin: Junos OS: RPD daemon crashes due to
receipt of specific Draft-Rosen MVPN control packet in Draft-Rosen
MVPN configuration (CVE-2018-0045)

[JSA10879]

Product Affected:

This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 15.1, 15.1F6,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1.

Problem:

Receipt of a specific Draft-Rosen MVPN control packet may cause
the routing protocol daemon (RPD) process to crash and restart or
may lead to remote code execution. By continuously sending the
same specific Draft-Rosen MVPN control packet, an attacker can
repeatedly crash the RPD process causing a prolonged denial of
service.

This issue may occur when the Junos OS device is configured for
Draft-Rosen multicast virtual private network (MVPN). The VPN is
multicast-enabled and configured to use Protocol Independent
Multicast (PIM) protocol within the VPN.

This issue can only be exploited from the PE device within the
MPLS domain which is capable of forwarding IP multicast traffic in
core.
End-users connected to the CE device cannot cause this crash.

Affected releases are Juniper Networks Junos OS:
  o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
  o 12.3 versions prior to 12.3R12-S10;
  o 12.3X48 versions prior to 12.3X48-D70 on SRX Series;
  o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
  o 15.1F6;
  o 15.1X49 versions prior to 15.1X49-D140 on SRX Series;
  o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
  o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
  o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
    Series;
  o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX
    Series;
  o 16.1 versions prior to 16.1R4-S9, 16.1R5-S4, 16.1R6-S3,
    16.1R7;
  o 16.2 versions prior to 16.2R1-S6, 16.2R2-S6, 16.2R3;
  o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
  o 17.2 versions prior to 17.2R2-S4, 17.2R3;
  o 17.3 versions prior to 17.3R2-S2, 17.3R3;
  o 17.4 versions prior to 17.4R1-S3, 17.4R2;
  o 18.1 versions prior to 18.1R2.

This issue may occurs when the Junos OS device is configured with:
[routing-instances <name> protocols pim mvpn]
[routing-instances <name> provider-tunnel pim-*]

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen during production usage.

No other Juniper Networks products or platforms are affected by
this issue.

This issue has been assigned CVE-2018-0045.
 
Solution:

The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 15.1R4-S9,
15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471,
15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R5-S4,
16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S6, 16.2R3, 17.1R1-S7,
17.1R2-S7, 17.1R3, 17.2R2-S4, 17.2R3, 17.3R2-S2, 17.3R3,
17.4R1-S3, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5 and all subsequent
releases.

This issue is being tracked as PR 1339567 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
 
Workaround:

There are no known workarounds for this issue.

Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2018-0045 at cve.mitre.org
  o https://kb.juniper.net/JSA10879

CVSS Score:

8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:

High

===============================================================================

2018-10 Security Bulletin: Junos OS: Memory exhaustion denial of
service vulnerability in Routing Protocols Daemon (RPD) with
Juniper Extension Toolkit (JET) support (CVE-2018-0048)

[JSA10882]

Product Affected:

This issue affects Junos OS 17.2, 17.2X75, 17.3, 17.4, 18.1.

Problem:

A vulnerability in the Routing Protocols Daemon (RPD) with Juniper
Extension Toolkit (JET) support can allow a network based
unauthenticated attacker to cause a severe memory exhaustion
condition on the device. This can have an adverse impact on the
system performance and availability.

This issue only affects devices with JET support running Junos OS
17.2R1 and subsequent releases. Other versions of Junos OS are
unaffected by this vulnerability.

Affected releases are Juniper Networks Junos OS:

  o 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3;
  o 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110;
  o 17.3 versions prior to 17.3R2-S4, 17.3R3;
  o 17.4 versions prior to 17.4R1-S5, 17.4R2;
  o 18.1 versions prior to 18.1R2-S3, 18.1R3.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was found during internal product security testing or
research.

This issue has been assigned CVE-2018-0048.
 
Solution:

The following software releases have been updated to resolve this
specific issue: 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D102,
17.2X75-D110, 17.3R2-S4, 17.3R3, 17.4R1-S5, 17.4R2, 18.1R2-S3,
18.1R3, 18.2R1, 18.2X75-D10, 18.3R1, and all subsequent releases.

This issue is being tracked as PR 1344177 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).

Workaround:

There are no viable workarounds for this issue.
 
Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.

Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Monthly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

===============================================================================

2018-10 Security Bulletin: Junos OS: Receipt of a specifically
crafted malicious MPLS packet leads to a Junos kernel crash
(CVE-2018-0049)

[JSA10883]

Product Affected:

This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4,
18.1, 18.2, 18.2X75.

Problem:

A NULL Pointer Dereference vulnerability in Juniper Networks Junos
OS allows an attacker to cause the Junos OS kernel to crash. A
single packet received by the target victim will cause a Denial of
Service condition.  Continued receipt of this specifically crafted
malicious MPLS packet will cause a sustained Denial of Service
condition.

This issue require it to be received on an interface configured to
receive this type of traffic.

Affected releases are Juniper Networks Junos OS:

  o 12.1X46 versions above and including 12.1X46-D76 prior to
    12.1X46-D81 on SRX Series;
  o 12.3R12-S10;
  o 12.3X48 versions above and including 12.3X48-D66 prior to
    12.3X48-D75 on SRX Series;
  o 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300,
    EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600,
    QFX5100;
  o 14.1X53 versions above and including 14.1X53-D115 prior to
    14.1X53-D130 on QFabric System;
  o 15.1 versions above and including 15.1F6-S10;
  o 15.1R4-S9;
  o 15.1R6-S6;
  o 15.1 versions above and including 15.1R7 prior to 15.1R7-S2;
  o 15.1X49 versions above and including 15.1X49-D131 prior to
    15.1X49-D150 on SRX100, SRX110, SRX210, SRX220, SRX240m,
    SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500,
    SRX4100, SRX4200, SRX4600 and vSRX;
  o 15.1X53 versions above 15.1X53-D233 prior to 15.1X53-D235 on
    QFX5200/QFX5110;
  o 15.1X53 versions up to and including 15.1X53-D471 prior to
    15.1X53-D590 on NFX150, NFX250;
  o 15.1X53-D67 on QFX10000 Series;
  o 15.1X53-D59 on EX2300/EX3400;
  o 16.1 versions above and including 16.1R3-S8;
  o 16.1 versions above and including 16.1R4-S9 prior to
    16.1R4-S12;
  o 16.1 versions above and including 16.1R5-S4;
  o 16.1 versions above and including 16.1R6-S3 prior to
    16.1R6-S6;
  o 16.1 versions above and including 16.1R7 prior to 16.1R7-S2;
  o 16.2 versions above and including 16.2R1-S6;
  o 16.2 versions above and including 16.2R2-S5 prior to
    16.2R2-S7;
  o 17.1R1-S7;
  o 17.1 versions above and including 17.1R2-S7 prior to
    17.1R2-S9;
  o 17.2R1-S6;
  o 17.2 versions above and including 17.2R2-S4 prior to
    17.2R2-S6;
  o 17.2X75 versions above and including 17.2X75-D100 prior to
    X17.2X75-D101, 17.2X75-D110;
  o 17.3 versions above and including 17.3R1-S4 on All non-SRX
    Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m
    SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100,
    SRX4200, SRX4600 and vSRX;
  o 17.3 versions above and including 17.3R2-S2 prior to 17.3R2-S4
    on All non-SRX Series and SRX100, SRX110, SRX210, SRX220,
    SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345,
    SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 17.3R3 on All non-SRX Series and SRX100, SRX110, SRX210,
    SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
    SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 17.4 versions above and including 17.4R1-S3 prior to 17.4R1-S5
    on All non-SRX Series and SRX100, SRX110, SRX210, SRX220,
    SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345,
    SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 17.4R2 on All non-SRX Series and SRX100, SRX110, SRX210,
    SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
    SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 18.1 versions above and including 18.1R2 prior to 18.1R2-S3,
    18.1R3 on All non-SRX Series and SRX100, SRX110, SRX210,
    SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
    SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 18.2 versions above and including 18.2R1 prior to 18.2R1-S2,
    18.2R1-S3, 18.2R2 on All non-SRX Series and SRX100, SRX110,
    SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320,
    SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
  o 18.2X75 versions above and including 18.2X75-D5 prior to
    18.2X75-D20.

The following minimal protocols configuration is required:

[protocols mpls interface]

Juniper SIRT is aware of possible malicious network probing which
may have triggered this issue, but not aware of any malicious
exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2018-0049.
 
Solution:

The following software releases have been updated to resolve this
specific issue: 12.1X46-D81, 12.3R12-S11, 12.3X48-D75,
14.1X53-D130, 14.1X53-D48, 15.1R7-S2, 15.1X49-D150, 15.1X53-D235,
15.1X53-D495, 15.1X53-D68, 15.1X53-D590, 16.1R4-S12, 16.1R6-S6,
16.1R7-S2, 16.1X65-D48, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3,
17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D101, 17.2X75-D110,
17.3R2-S4, 17.3R3-S1, 17.3R4, 17.4R1-S5, 17.4R2-S1, 17.4R3,
18.1R2-S3, 18.1R3, 18.2R1-S2, 18.2R1-S3, 18.2R2, 18.2X75-D20,
18.3R1, and all subsequent releases.

Additionally, the following software releases have been
re-released to the Juniper download pages to resolve this specific
issue:

12.1X46-D76.1, 12.3X48-D70.4, 14.1X53-D47.6, 15.1F6-S10.11,
15.1R6-S6.2, 15.1R7.9, 15.1X49-D140.3, 15.1X53-D233.2,
15.1X53-D59.4, 15.1X53-D67.6, 16.1R6-S3.2, 16.1R7-S1.2, 16.1R7.8,
17.2X75-D100.6, 17.3R2-S2.2, 17.3R3.10, 17.4R1-S3.4, 18.1R2.6.

Note: The final ".xy" numeric entry, for example the .4 in
12.3X48-D70.4, on a release in this notice is the respin release
number. Customer's should check the respin release number on the
version of Junos OS to confirm vulnerability.

This issue is being tracked as PR 1380862 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).

The following table is designed to assist with identifying a fix
path for your product.  Each product has multiple potential fix
paths.  First, there is the updated release of Junos.  If you are
using an affected release of Junos that is listed in the Updated
column, the only change to the updated release is PR 1380862. 
Second, there is the next fixed in release location which contains
at least PR 1380862, and other fixes, and potentially feature
additions.  Third, there are certain releases which are
proactively fixed and those are called out.  These proactively
fixed releases were never exposed to this issue.  Not all affected
release trains have fixes.  In those instances, customers should
either Update to a reissued release, or upgrade to a fixed in
release listed in the table below. For additional configuration,
update and upgrade assistance, please contact your account
manager, or JTAC for assistance.

 Product and                           Fixed and
  platforms     Affected releases   reissued Junos     Fixed in
                                        release
12.3 (all      = 12.3R12-S10        None            >= 12.3R12-S11
platforms)
12.1X46 (SRX   >= 12.1X46-D76 and 
Branch         < 12.1X46-D81        12.1X46-D76.1   >= 12.1X46-D81
Series*)
12.3X48 (SRX   >= 12.3X48-D66 and 
Branch         < 12.3X48-D75        12.3X48-D70.4   >= 12.3X48-D75
Series*)
14.1X53 (EX
and QFX        = 14.1X53-D47        14.1X53-D47.6   >= 14.1X53-D48
Series)
14.1X53        >= 14.1X53-D115 and                  >=
(QFabric       < 14.1X53-D130       None             14.1X53-D130
System)
               >= 15.1F6-S10        15.1F6-S10.11   None
15.1 (all      >= 15.1R4-S9         None            None
platforms)     >= 15.1R6-S6         15.1R6-S6.2     None
               >= 15.1R7 and        15.1R7.9        >= 15.1R7-S2
               < 15.1R7-S2
15.1X49 (SRX   >= 15.1X49-D131 and                  >=
Branch         < 15.1X49-D150       15.1X49-D140.3   15.1X49-D150
Series*)
15.1X53        >= 15.1X53-D233 and                  >=
(QFX5200/      < 15.1X53-D235       15.1X53-D233.2   15.1X53-D235
QFX5110)
15.1X53        >= 15.1X53-D471 and                  >=
(NFX150,       < 15.1X53-D495       None             15.1X53-D495
NFX250)
15.1X53
(QFX10000      = 15.1X53-D67        15.1X53-D67.6   >= 15.1X53-D68
Series)
15.1X53        >= 15.1X53-D59 and                   >=
(EX2300/       < 15.1X53-D590       15.1X53-D59.4    15.1X53-D590
EX3400)
               >= 16.1R3-S8         None            None
               >= 16.1R4-S9 and     None            >= 16.1R4-S12
               < 16.1R4-S12
16.1 (all      >= 16.1R5-S4         None            None
platforms)     >= 16.1R6-S3 and     16.1R6-S3.2     >= 16.1R6-S6
               < 16.1R6-S6
               >= 16.1R7  and       16.1R7.8 and    >= 16.1R7-S2
               < 16.1R7-S2          16.1R7-S1.2
16.1X65                                             >= 16.1X65-D48
(PTX1000       Not affected         Not affected    (proactive
Series)                                             fix)
               >= 16.2R1-S6         None            None
16.2 (all      >= 16.2R2-S5 and                     >= 16.2R2-S7
platforms)     < 16.2R2-S7          None            and
                                                    >= 16.2R3
               >= 17.1R1-S7         None            None
17.1 (all      >= 17.1R2-S7 and                     >= 17.1R2-S9
platforms)     < 17.1R2-S9          None            and
                                                    >= 17.1R3
                                                    >= 17.2R1-S7
               = 17.2R1-S6          None            and
17.2 (all                                           >= 17.2R3
platforms)     >= 17.2R2-S4 and                     >= 17.2R2-S6
               < 17.2R2-S6          None            and
                                                    >= 17.2R3
                                                    >=
                                                     17.2X75-D101
17.2X75        = 17.2X75-D100       17.2X75-D100.6  and
                                                    >=
                                                     17.2X75-D110
               >= 17.3R1-S4         None            None
17.3 (all      >= 17.3R2-S2 and     17.3R2-S2.2     >= 17.3R2-S4
platforms) See < 17.3R2-S4.                         and
Note-1         = 17.3R3             17.3R3.10       >= 17.3R3-S1
                                                    and
               >= 17.4R1-S3 and                     >= 17.4R1-S5
               < 17.4R1-S5          17.4R1-S3.4     and
17.4 (all                                           >= 17.4R3
platforms)                                          >= 17.4R2-S1
               = 17.4R2             None            and
                                                    >= 17.4R3
18.1 (all      >= 18.1R2 and                        >= 18.1R2-S3
platforms)     < either 18.1R2-S3,  18.1R2.6        and
               or 18.1R3                            >= 18.1R3
18.2 (all      >= 18.2R1 and <                      >= 18.2R1-S2
platforms)     either 18.2R1-S2, or None            and
               18.2R2                               >= 18.2R2
18.2X75        >= 18.2X75-D5 and    None            >= 18.2X75-D20
               < 18.2X75-D20

* SRX Branch Series devices include SRX100, SRX110, SRX210,
SRX220, SRX240m, SRX550m, SRX650, SRX300, SRX320, SRX340, SRX345,
SRX1500, SRX4100, SRX4200, SRX4600 and vSRX.

Note-1: From 17.3R1 onward, It is suggested that customers using
releases of Junos on SRX should consider transitioning to 
17.4R2-S1, or subsequent releases.

Workaround:

Remove MPLS configuration stanza from interfaces at risk.

There are no other available workarounds for this issue.

Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2018-0049 at cve.mitre.org
  o Understanding Junos release numbering
  o JUNOS Software updates due to JSA10883

CVSS Score:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

===============================================================================

2018-10 Security Bulletin: Junos OS: Receipt of a malformed MPLS
RSVP packet leads to a Routing Protocols Daemon (RPD) crash
(CVE-2018-0050)

[JSA10884]

Product Affected:

This issue affects Junos OS 14.1, 14.1X53, 14.2.

Problem:

An error handling vulnerability in Routing Protocols Daemon (RPD)
of Juniper Networks Junos OS allows an attacker to cause RPD to
crash. Continued receipt of this malformed MPLS RSVP packet will
cause a sustained Denial of Service condition.

Affected releases are Juniper Networks Junos OS:

  o 14.1 versions prior to 14.1R8-S5, 14.1R9;
  o 14.1X53 versions prior to 14.1X53-D48 on QFX Switching;
  o 14.2 versions prior to 14.1X53-D130 on QFabric System;
  o 14.2 versions prior to 14.2R4.


This issue does not affect versions of Junos OS before 14.1R1.

Junos OS RSVP only supports IPv4. IPv6 is not affected by this
issue.

This issue require it to be received on an interface configured to
receive this type of traffic.

The following minimal protocols configurations are required:

[protocols rsvp]
[protocols mpls interface]

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was found during internal product security testing or
research.

This issue has been assigned CVE-2018-0050.

Solution:

The following software releases have been updated to resolve this
specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D130, 14.1X53-D48,
14.2R4, 15.1R1, and all subsequent releases.

This issue is being tracked as PR 1087100 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
 
Workaround:

Remove MPLS configuration stanzas from interface configurations
that are at risk.

No other workarounds exist for this issue. 
 
Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2018-0050 at cve.mitre.org

CVSS Score:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

===============================================================================

2018-10 Security Bulletin: Junos OS: Denial of Service
vulnerability in MS-PIC, MS-MIC, MS-MPC, MS-DPC and SRX flow
daemon (flowd) related to SIP ALG (CVE-2018-0051)

[JSA10885]

Product Affected:

This issue affects Junos OS 12.1X46, 12.3X48, 15.1, 15.1F6,
15.1X49, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4.

Problem:

A Denial of Service vulnerability in the SIP application layer
gateway (ALG) component of Junos OS based platforms allows an
attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow
daemon (flowd) process.

This issue affects Junos OS devices with NAT or stateful firewall
configuration in combination with the SIP ALG enabled.

SIP ALG is enabled by default on SRX Series devices except for
SRX-HE devices. SRX-HE devices have SIP ALG disabled by default.

The status of ALGs in SRX device can be obtained by executing the
command:
show security alg status

Affected releases are Juniper Networks Junos OS:
  o 12.1X46 versions prior to 12.1X46-D77;
  o 12.3X48 versions prior to 12.3X48-D70;
  o 15.1X49 versions prior to 15.1X49-D140;
  o 15.1 versions prior to 15.1R4-S9, 15.1R7-S1;
  o 15.1F6;
  o 16.1 versions prior to 16.1R4-S9, 16.1R6-S1, 16.1R7;
  o 16.2 versions prior to 16.2R2-S7, 16.2R3;
  o 17.1 versions prior to 17.1R2-S7, 17.1R3;
  o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
  o 17.3 versions prior to 17.3R1-S5, 17.3R2-S2, 17.3R3;
  o 17.4 versions prior to 17.4R2.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen during production usage.

No other Juniper Networks products or platforms are affected by
this issue.

This issue has been assigned CVE-2018-0051.
 
Solution:

The following software releases have been updated to resolve these
specific issues: 12.1X46-D77, 12.3X48-D70, 12.3X48-D75,
14.1X53-D47, 15.1R4-S9, 15.1R7-S1, 15.1X49-D140, 15.1X53-D471,
15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R6-S1,
16.1R7, 16.2R2-S7, 16.2R3, 17.1R2-S7, 17.1R3, 17.2R1-S6,
17.2R2-S4, 17.2R3, 17.3R1-S5, 17.3R2-S2, 17.3R3, 17.4R2, 18.1R1,
18.1X75-D10, 18.2R1, 18.2X75-D5, and all subsequent releases.

This fix has also been proactively committed into other releases
that might not support SIP ALG configuration.

This issue is being tracked as PR 1326394 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
 
Workaround:

Disable the use of the SIP ALG feature if it is not needed.
 
Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2018-0051 at cve.mitre.org
  o https://kb.juniper.net/JSA10885

CVSS Score:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

High

===============================================================================

2018-10 Security Bulletin: Junos OS: Unauthenticated remote root
access possible when RSH service is enabled (CVE-2018-0052)

[JSA10886]

Product Affected:

This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4,
18.2X75.

Problem:

If RSH service is enabled on Junos OS and if the PAM
authentication is disabled, a remote unauthenticated attacker can
obtain root access to the device.

RSH service is disabled by default on Junos. There is no
documented CLI command to enable this service. However, an
undocumented CLI command allows a privileged Junos user to enable
RSH service and disable PAM, and hence expose the system to
unauthenticated root access.

When RSH is enabled, the device is listing to RSH connections on
port 514.

This issue is not exploitable on platforms where Junos release is
based on FreeBSD 10+. Please see https://www.juniper.net/
documentation/en_US/junos/topics/topic-map/
junos-kernel-freebsd-upgraded.html for a list of platforms and
Junos Releases that are based in FreeBSD 10 or later.

Affected releases are Juniper Networks Junos OS:

  o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
  o 12.3 versions prior to 12.3R12-S10;
  o 12.3X48 versions prior to 12.3X48-D75 on SRX Series;
  o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series;
  o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
  o 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX
    Series;
  o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
  o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
  o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
    Series;
  o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX
    Series;
  o 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4,
    16.1R6-S4, 16.1R7;
  o 16.2 versions prior to 16.2R2-S5;
  o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
  o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
  o 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91;
  o 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3;
  o 17.4 versions prior to 17.4R1-S3, 17.4R2;
  o 18.2X75 versions prior to 18.2X75-D5.

This issue only affects configurations where RSH service is
enabled and the PAM authentication is disabled.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was found during internal product security testing or
research.

This issue has been assigned CVE-2018-0052.
 

Solution:

This CLI option has been removed from the fixed Junos releases.

The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75,
14.1X53-D47, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131,
15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490,
15.1X53-D59, 15.1X53-D67, 16.1R3-S9, 16.1R4-S9, 16.1R5-S4,
16.1R6-S4, 16.1R7, 16.2R2-S5, 17.1R1-S7, 17.1R2-S7, 17.1R3,
17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D91,
17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1,
18.2X75-D5, and all subsequent releases.

This issue is being tracked as PR 1288932 which is visible on the
Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
 

Workaround:

 1. Ensure there is no RSH service listening on port 514.
 2. Utilize common security BCPs to limit the exploitable surface
    by limiting access to network and device to trusted systems,
    administrators, networks and hosts.

Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Monthly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:

7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW76m3maOgq3Tt24GAQiRNA//SfP6z16uai5F2fO9RKgdTzMmrRm8xGtX
E/1txo6/l9rQ9Y5olJiCdlFhBHJMYRtakSPXLCR/ZfdFSHUe8OGYC4ro9igWoAIZ
VMfNlHcJATFBvw6FMT/LcjBDWrg8Ck4dg76xk6kTSSPuZZPRJ2Xia0O55s0AAQpa
YekgFNVkmFG9grESK1VSPKtgH7aR2/vp8Ur4Em0vI7zc39KPl+I7jUbeT3OPlIOC
Z31OK2N9b79fnkfMhnaAVezvKlkfgxJUYD+wofz1IdJmbCpKP6G90Mv1f77pqCSR
h1gIUigoeZgOr4jBPxInaNRP74T7LkRLsNibzV54Pq58n8k/AGAn9A4hLfIKqeks
PI9A6EPcUBqnPkksq1M0LuzoEIWWEc4sW8/Uy3wPik3AfEV1I+gHeh4TMwbuemC3
ld5Il2ozQn8LrP4YtrbvGzqWh6xLxN79pbr05wlTvgRa4uX3StZJ9fLbSGLiLxDj
ltxvhYxU20GnJtlX2ysZ2VKVk8jOYt7RfaFDmLQZeD5S6Z66icDn64cfWj+gmeO4
eEickVsOZJZxi7M5NLnWrCq4P2iRymAoSlP8V2oVJ3KH0IhG799laMoCy4m57OUI
pWejeNoEoaD/jd0Uw3udw0PApIpFM6icj/1DexZaMGHomJ6FovPJ1aQyZRp/Ax/7
5O0DoISHxVs=
=VQg7
-----END PGP SIGNATURE-----

« Back to bulletins