ESB-2019.1266 - [Appliance] Junos OS: Multiple vulnerabilities 2019-04-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1266
                2019-04 Juniper Security Bulletin: Junos OS
                               12 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Network Appliance
Impact/Access:     Administrator Compromise -- Console/Physical      
                   Denial of Service        -- Remote/Unauthenticated
                   Unauthorised Access      -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-0044 CVE-2019-0039 CVE-2019-0037
                   CVE-2019-0036 CVE-2019-0035 CVE-2019-0034
                   CVE-2019-0031  

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10920
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10924
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10925
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10926
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10928
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10929
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10936

Comment: This bulletin contains seven (7) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2019-04 Security Bulletin: Junos OS: jdhcpd daemon memory consumption Denial of Service when receiving specific IPv6 DHCP packets. (CVE-2019-0031)

Article ID:   JSA10920

Last Updated: 10 Apr 2019

Version:      6.0

Product Affected:
This issue affects Junos OS 17.4, 18.1.
Problem:

Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a memory
resource consumption issue to occur on a Junos OS device using the jdhcpd
daemon configured to respond to IPv6 requests. Once started, memory consumption
will eventually impact any IPv4 or IPv6 request serviced by the jdhcpd daemon,
thus creating a Denial of Service (DoS) condition to clients requesting and not
receiving IP addresses. Additionally, some clients which were previously
holding IPv6 addresses will not have their IPv6 Identity Association (IA)
address and network tables agreed upon by the jdhcpd daemon after the failover
event occurs, which leads to more than one interface, and multiple IP
addresses, being denied on the client.

Affected releases are Juniper Networks Junos OS:

  o 17.4 versions prior to 17.4R2;
  o 18.1 versions prior to 18.1R2.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2019-0031 .

Solution:

The following software releases have been updated to resolve this specific
issue: 17.4R2, 18.1R2, 18.2R1, and all subsequent releases.

This issue is being tracked as PR 1333381 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

Customers may discontinue processing or serving DHCPv6 address assignments
until such time that fixes can be taken.
This workaround is helpful for large IPv4 environments with fewer or considered
less important IPv6 clients.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:
2019-04-10: Initial Publication.
Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

  o CVE-2019-0031 at cve.mitre.org

CVSS Score:
7.4 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

===============================================================================
2019-04 Security Bulletin: Junos OS: 'set system ports console insecure' allows root password recovery on OAM volumes (CVE-2019-0035)

Article ID:   JSA10924

Last Updated: 10 Apr 2019

Version:      1.0

Product Affected:
This issue affects Junos OS 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1,
17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3.
Problem:

When " set system ports console insecure " is enabled, root login is disallowed
for Junos OS as expected. However, the root password can be changed using " set
system root-authentication plain-text-password " on systems booted from an OAM
(Operations, Administration, and Maintenance) volume, leading to a possible
administrative bypass with physical access to the console. OAM volumes (e.g.
flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short.

Password recovery, changing the root password from a console, should not have
been allowed from an insecure console.

Affected releases are Juniper Networks Junos OS:

  o 15.1 versions prior to 15.1F6-S12, 15.1R7-S3;
  o 15.1X49 versions prior to 15.1X49-D160;
  o 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68;
  o 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3;
  o 16.1X65 versions prior to 16.1X65-D49;
  o 16.2 versions prior to 16.2R2-S8;
  o 17.1 versions prior to 17.1R2-S10, 17.1R3;
  o 17.2 versions prior to 17.2R1-S8, 17.2R3-S1;
  o 17.3 versions prior to 17.3R3-S3;
  o 17.4 versions prior to 17.4R1-S6, 17.4R2-S2;
  o 18.1 versions prior to 18.1R2-S4, 18.1R3-S3;
  o 18.2 versions prior to 18.2R2;
  o 18.2X75 versions prior to 18.2X75-D40;
  o 18.3 versions prior to 18.3R1-S2.

This issue does not affect Junos OS releases prior to 15.1.

Administrators can disable root login connections to the console, and if
running a fixed release, restrict single-user mode password recovery via the
following configuration command:

user@host# set system ports console insecure

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2019-0035 .

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X49-D160, 15.1X53-D236,
15.1X53-D496, 15.1X53-D68, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X65-D49,
16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S3, 17.4R1-S6,
17.4R2-S2, 18.1R2-S4, 18.1R3-S3, 18.2R2, 18.2X75-D40, 18.3R1-S2, 18.4R1, and
all subsequent releases.

This issue is being tracked as PR 1368998 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

Limit physical access to the recovery console to only trusted administrators.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-04-10: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process.

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:
6.8 (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

===============================================================================
2019-04 Security Bulletin: Junos OS: Firewall filter terms named "internal-1" and "internal-2" being ignored (CVE-2019-0036)

Article ID:   JSA10925

Last Updated: 10 Apr 2019

Version:      1.0

Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49,
15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3, 18.4.
Problem:

When configuring a stateless firewall filter in Junos OS, terms named using the
format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently
ignored. No warning is issued during configuration, and the config is committed
without error, but the filter criteria will match all packets leading to
unexpected results.

Affected releases are Juniper Networks Junos OS:

  o All versions prior to and including 12.3;
  o 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49;
  o 15.1 versions prior to 15.1F6-S12, 15.1R7-S4;
  o 15.1X49 versions prior to 15.1X49-D161, 15.1X49-D170;
  o 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D69;
  o 16.1 versions prior to 16.1R7-S4, 16.1R7-S5;
  o 16.2 versions prior to 16.2R2-S9;
  o 17.1 versions prior to 17.1R3;
  o 17.2 versions prior to 17.2R1-S8, 17.2R3-S1;
  o 17.3 versions prior to 17.3R3-S4;
  o 17.4 versions prior to 17.4R1-S7, 17.4R2-S3;
  o 18.1 versions prior to 18.1R2-S4, 18.1R3-S4;
  o 18.2 versions prior to 18.2R1-S5, 18.2R2-S1;
  o 18.2X75 versions prior to 18.2X75-D40;
  o 18.3 versions prior to 18.3R1-S3;
  o 18.4 versions prior to 18.4R1-S1, 18.4R1-S2.

Sample configuration:

term internal-1 {
  from {
    source-address {
      157.249.32.21/32;
    }
    destination-address {
      157.249.197.64/30;
    }
    protocol udp;
    destination-port 123;
  }
  then {
    count scan-ad-internal-1;
    accept;
  }
}

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2019-0036 .

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 14.1X53-D130, 14.1X53-D49, 15.1F6-S12, 15.1R7-S4, 15.1X49-D161,
15.1X49-D170, 15.1X53-D236, 15.1X53-D496, 15.1X53-D69, 16.1R7-S4, 16.2R2-S9,
17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S4, 17.4R1-S7, 17.4R2-S3, 18.1R2-S4,
18.1R3-S4, 18.2R1-S5, 18.2R2-S1, 18.2X75-D40, 18.3R1-S3, 18.4R1-S1, 19.1R1, and
all subsequent releases.

Note: Fixes are not available for Junos OS 12.1X46, 12.3X48, or 12.3R12 due to
the high risk of making changes to earlier releases, and the easily implemented
available workaround.

This issue is being tracked as PR 1394922 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

Avoid configuring firewall filter names of the format: internal-n

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-04-10: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process.

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:
7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

===============================================================================
2019-04 Security Bulletin: Junos OS: jdhcpd crash upon receipt of crafted DHCPv6 solicit message (CVE-2019-0037)

Article ID:   JSA10926

Last Updated: 10 Apr 2019

Version:      1.0

Product Affected:
This issue affects Junos OS 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2,
17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3.
Problem:

In a Dynamic Host Configuration Protocol version 6 (DHCPv6) environment, the
jdhcpd daemon may crash and restart upon receipt of certain DHCPv6 solicit
messages received from a DHCPv6 client. By continuously sending the same
crafted packet, an attacker can repeatedly crash the jdhcpd process causing a
sustained Denial of Service (DoS) to both IPv4 and IPv6 clients.

Affected releases are Juniper Networks Junos OS:

  o 15.1 versions prior to 15.1F6-S12, 15.1R7-S3;
  o 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180;
  o 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496;
  o 16.1 versions prior to 16.1R3-S10, 16.1R7-S4;
  o 16.2 versions prior to 16.2R2-S8;
  o 17.1 versions prior to 17.1R2-S10, 17.1R3;
  o 17.2 versions prior to 17.2R1-S8, 17.2R3-S1;
  o 17.3 versions prior to 17.3R3-S3;
  o 17.4 versions prior to 17.4R1-S6, 17.4R2-S3;
  o 18.1 versions prior to 18.1R2-S4, 18.1R3-S2;
  o 18.2 versions prior to 18.2R2;
  o 18.2X75 versions prior to 18.2X75-D30;
  o 18.3 versions prior to 18.3R1-S2.

This issue does not affect Junos OS releases prior to 15.1.

Sample configuration:

user@host# edit system services dhcp-local-server dhcpv6

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2019-0037 .

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X49-D171, 15.1X49-D180,
15.1X53-D236, 15.1X53-D496, 16.1R3-S10, 16.1R7-S4, 16.2R2-S8, 17.1R2-S10,
17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S3, 17.4R1-S6, 17.4R2-S3, 18.1R2-S4,
18.1R3-S2, 18.2R2, 18.2X75-D30, 18.3R1-S2, 18.4R1, and all subsequent releases.

This issue is being tracked as PR 1391983 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

No known workaround exists for this issue.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-04-10: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process.

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:
7.4 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

===============================================================================
2019-04 Security Bulletin: Junos OS: Login credentials are vulnerable to brute force attacks through the REST API (CVE-2019-0039)

Article ID:   JSA10928

Last Updated: 10 Apr 2019

Version:      1.0

Product Affected:
This issue affects Junos OS 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65,
16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75, 18.3.
Problem:

If REST API is enabled, the Junos OS login credentials are vulnerable to brute
force attacks.

The high default connection limit of the REST API may allow an attacker to
brute-force passwords using advanced scripting techniques. Additionally,
administrators who do not enforce a strong password policy can increase the
likelihood of success from brute force attacks.

Affected releases are Juniper Networks Junos OS:

  o 14.1X53 versions prior to 14.1X53-D49;
  o 15.1 versions prior to 15.1F6-S12, 15.1R7-S3;
  o 15.1X49 versions prior to 15.1X49-D160;
  o 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591,
    15.1X53-D69;
  o 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3;
  o 16.1X65 versions prior to 16.1X65-D49;
  o 16.2 versions prior to 16.2R2-S7;
  o 17.1 versions prior to 17.1R2-S10, 17.1R3;
  o 17.2 versions prior to 17.2R1-S8, 17.2R3-S1;
  o 17.3 versions prior to 17.3R3-S2;
  o 17.4 versions prior to 17.4R1-S6, 17.4R2-S2;
  o 18.1 versions prior to 18.1R2-S4, 18.1R3-S1;
  o 18.2 versions prior to 18.2R1-S5;
  o 18.2X75 versions prior to 18.2X75-D30;
  o 18.3 versions prior to 18.3R1-S1.

The REST API can be enabled using the following configuration option:

system services rest http
system services rest enable-explorer

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was found during internal product security testing or research.

This issue has been assigned CVE-2019-0039 .

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 14.1X53-D49, 15.1F6-S12, 15.1R7-S3, 15.1X49-D160, 15.1X53-D236,
15.1X53-D495, 15.1X53-D591, 15.1X53-D69, 16.1R3-S10, 16.1R4-S12, 16.1R6-S6,
16.1R7-S3, 16.1X65-D49, 16.2R2-S7, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1,
17.3R3-S2, 17.4R1-S6, 17.4R2-S2, 18.1R2-S4, 18.1R3-S1, 18.2R1-S5, 18.2X75-D30,
18.3R1-S1, 18.4R1, and all subsequent releases.

This issue is being tracked as PR 1289313 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

  o Setting a connection limit on REST API may help mitigate this issue. For
    example:

set system services rest control connection-limit 100

  o Use access lists or firewall filters to limit API access to the device only
    from trusted hosts.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-04-10: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process.

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
===============================================================================

2019-04 Security Bulletin: Junos OS: Specially crafted packets sent to
port 111 on any interface triggers responses from the management interface
(CVE-2019-0040)

Article ID: JSA10929

Product Affected:
This issue affects Junos OS 15.1, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3,
17.4.
Problem:

On Junos OS, rpcbind should only be listening to port 111 on the internal
routing instance (IRI). External packets destined to port 111 should be
dropped. Due to an information leak vulnerability, responses were being
generated from the source address of the management interface (e.g. fxp0)
thus disclosing internal addressing and existence of the management interface
itself. A high rate of crafted packets destined to port 111 may also lead
to a partial Denial of Service (DoS).

Note: Systems with fxp0 disabled or unconfigured are not vulnerable to
this issue.

This issue only affects Junos OS releases based on FreeBSD 10 or higher
(typically Junos OS 15.1+). Administrators can confirm whether systems
are running a version of Junos OS based on FreeBSD 10 or higher by typing:
user@junos> show version | match kernel
JUNOS OS Kernel 64-bit [20181214.223829_fbsd-builder_stable_10]

Affected releases are Juniper Networks Junos OS:

15.1 versions prior to 15.1F6-S12, 15.1R7-S4;
15.1X53 versions prior to 15.1X53-D236;
16.1 versions prior to 16.1R7-S1;
16.2 versions prior to 16.2R2-S9;
17.1 versions prior to 17.1R3;
17.2 versions prior to 17.2R1-S8;
17.3 versions prior to 17.3R2;
17.4 versions prior to 17.4R1-S1, 17.4R1-S7, 17.4R2.

This issue does not affect Junos OS releases prior to 15.1.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2019-0040.

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 15.1F6-S12, 15.1R7-S4, 15.1X53-D236, 16.1R7-S1, 16.2R2-S9,
17.1R3, 17.2R1-S8, 17.2R3, 17.3R2, 17.4R1-S1, 17.4R1-S7, 17.4R2, 18.1R1,
18.1X75-D10, and all subsequent releases.

This issue is being tracked as PR 1296262 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond
End of Engineering (EOE) or End of Life (EOL).

Workaround:

Use access lists or firewall filters to limit access to port 111 on
the device.
Disable the management interface (fxp0) if it is not needed in a production
environment.
If neither MS MICs nor MS MPCs are deployed, an additional option is to
disable rpcbind via the configuration command:


set system processes rpcbind-service disable

Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.

Modification History:

    2019-04-10: Initial Publication


Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security
  Bulletin Publication Process.

  o KB16765: In which releases are vulnerabilities fixed?

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
  Security Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
  Security Incident Response Team

CVSS Score:
6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Risk Level:
Medium
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

===============================================================================

2019-04 Security Bulletin: Junos OS: SRX5000 series: Kernel crash (vmcore) upon receipt of a specific packet on fxp0 interface (CVE-2019-0044)

Article ID:   JSA10936

Last Updated: 10 Apr 2019

Version:      2.0

Product Affected:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms:
SRX5000 series.
Problem:

Receipt of a specific packet on the out-of-band management interface fxp0 may
cause the system to crash and restart (vmcore).

By continuously sending a specially crafted packet to the fxp0 interface, an
attacker can repetitively crash the system (vmcore) causing prolonged Denial of
Service (DoS).

Affected releases are Juniper Networks SRX5000 Series:

  o 12.1X46 versions prior to 12.1X46-D82;
  o 12.3X48 versions prior to 12.3X48-D80;
  o 15.1X49 versions prior to 15.1X49-D160.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was seen during production usage.

This issue has been assigned CVE-2019-0044 .

Solution:

The following software releases have been updated to resolve this specific
issue: 12.1X46-D82, 12.3X48-D80, 15.1X49-D160 and all subsequent releases.

This issue is being tracked as PR 1362221 which is visible on the Customer
Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).

Workaround:

There are no known workarounds for this issue.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-04-10: Initial Publication.
  o 2019-04-10: Minor description edit.

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process.

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

  o CVE-2019-0044 at cve.mitre.org

  o https://kb.juniper.net/JSA10936

CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXLAiNGaOgq3Tt24GAQiQERAAtKkbHhPpfRVXuqywCRXGA4tfql8i2vl0
nv0LakNq6OVSnK+hygcvjNn/Zm5M1I1cpawzdypVoxqAzMypNYH2T0tZzm5b+WUN
B+WVjg0H1Tb0PNvl0orwwv77NYVxKVxkeHecJE70F12ri51f57plCCPtwgaD7LsO
5G2gHATqHDMcoftW7Ag2HNiJUVpiOCfhRDl5Ej9Hq2bH9Te/R5Xtegy0LNSZkg0s
Kpus5HMijEWDWdxqA/ZLwroGXx9RVDUcWS22cUAcQMTO7fBbuDwBXqY2e6kZTZfS
m1lmZCLB8TvTfObyGYgKG83ErQQN42LqU957+VcpIoXdnHEKOOtjA2f7ZEx8yN0B
EOyEaiTfSrEzCFx5wn5c+38gChYGwmejnBQY6IgTtW38x+92YHOjR058gJdUDss2
bzE5VWn5B/JzhqboC5ORS0VACtdrjTvFLv7SKJWgfq2kY06fduWLepGvjTfy6szA
yw3ZzGw0UYxjM80ktKM5T01vE5NqgceQYSVx1062mx+Ei182GkbzCl1yhr5SGvhe
ZN1RgRMuod1JtZ3WLqepAO6vaWF8oE6JV4C4+y/0edeqn7LiwphPEL9OYr+iisyt
fk3aJmZfMZfi2wJcp0x5wlzDMtiBk7mX15Rux4DS6MhkJlMTjRpa+jE6UE03exOJ
riV6kC9np/g=
=FHnI
-----END PGP SIGNATURE-----

« Back to bulletins