Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1737 2017-07 Security Bulletin: Junos OS: 13 July 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-10605 CVE-2017-10604 CVE-2017-10603 CVE-2017-10602 CVE-2017-6738 CVE-2017-6737 CVE-2017-6736 CVE-2017-2345 CVE-2017-2344 CVE-2017-2341 CVE-2017-2314 CVE-2014-9425 CVE-2013-6420 CVE-2013-4113 CVE-2012-3365 Reference: ASB-2012.0105 ESB-2017.1644 ESB-2015.1818 ESB-2014.1429 ESB-2013.1784 ESB-2013.0972 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10804 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10805 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10803 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792 Comment: This bulletin contains nine (9) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch failures occur if the root user account is locked out (CVE-2017-10604) PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX series. PROBLEM: When the device is configured to perform account lockout with a defined period of time, any unauthenticated user attempting to log in as root with an incorrect password can trigger a lockout of the root account. When an SRX Series device is in cluster mode, and a cluster sync or failover operation occurs, then there will be errors associated with synch or failover while the root account is locked out. Administrators can confirm if the root account is locked out via the following command root@device> show system login lockout user root User Lockout start Lockout end root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT This issue only affects devices configured to perform account lockout with a defined period of time; e.g.: set system services ssh root-login deny set system login retry-options tries-before-disconnect 5 set system login retry-options minimum-time 30 set system login retry-options lockout-period 30 The root lockout feature is working as expected. It is only a problem when an SRX Series device is in a cluster configuration mode. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-10604. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D65, 12.3X48-D45, 15.1X49-D75, and all subsequent releases. NOTE: Future SRX-Series releases above 15.1X49 Top of Tree from Junos OS 17.2R1 onward have been proactively resolved. This issue is being tracked as PR 1222250 and is visible on the Customer Support website. WORKAROUND: The lockout feature does not impact console access for the root account. Administrators may login via console, and block the offending incoming traffic which is causing the root account from being locked out via SSH connection attempts to restore cluster sync services from erroring or failing. Administrators may block the offending SSH traffic from an upstream device. Use access lists or firewall filters to limit access to the device only from trusted administrative hosts, networks and users. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos OS: J-Web: Multiple Vulnerabilities in PHP software PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.1X47, 12.3, 12.3X48, 14.2, 15.1, 15.1X49. PROBLEM: PHP software included with Junos OS J-Web is updated to resolve the following issues: CVE CVSS v2 base score Summary CVE-2013-6420 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The asn1_time_to_time_t function in ext/openssl/openssl.c in PHP does not properly parse (1) notBefore and (2) notAfter timestamps in X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted certificate that is not properly handled by the openssl_x509_parse function. CVE-2014-9425 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. CVE-2013-4113 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) ext/xml/xml.c in PHP does not properly consider parsing depth, which allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted document that is processed by the xml_parse_into_struct function. CVE-2012-3365 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The SQLite functionality in PHP allows remote attackers to bypass the open_basedir protection mechanism via unspecified vectors. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65, 12.1X47 prior to 12.1X47-D40, 12.1X47-D45; 12.3 prior to 12.3R12-S5; 12.3X48 prior to 12.3X48-D35; 14.2 prior to 14.2R8; 15.1 prior to 15.1R4; 15.1X49 prior to 15.1X49-D50. These issues affect devices with J-Web enabled. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D65, 12.1X47-D40, 12.1X47-D45, 12.3R12-S5, 12.3X48-D35, 14.2R8, 15.1R4, 15.1X49-D50, 16.1R1, 16.1R1, 16.1R2, and all subsequent releases. This issue is being tracked as PR 1157572 and is visible on the Customer Support website. WORKAROUND: Methods which may reduce, but not eliminate, the risk for exploitation of this problem, and which does not mitigate or resolve the underlying problem include: o Using access lists or firewall filters to limit access to the device only from trusted hosts. o Disabling J-Web o Limit access to J-Web from only trusted networks IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos OS: Local XML Injection through CLI command can lead to privilege escalation (CVE-2017-10603) PRODUCT AFFECTED: This issue affects Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47; 15.1 prior to 15.1R3. PROBLEM: An XML injection vulnerability in Junos OS CLI can allow a locally authenticated user to elevate privileges and run arbitrary commands as the root user. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47, 15.1 prior to 15.1R3. Junos versions prior to 15.1 are not affected. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-10603. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 15.1X53-D47, 15.1R3, and all subsequent releases. This issue is being tracked as PR 1091037 and is visible on the Customer Support website. WORKAROUND: There is no direct workaround to completely eliminate the risk of this vulnerability. Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos OS: buffer overflow vulnerability in Junos CLI (CVE-2017-10602) PRODUCT AFFECTED: This issue affects Junos OS 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53. PROBLEM: A buffer overflow vulnerability in Junos OS CLI may allow a local authenticated user with read only privileges and access to Junos CLI, to execute code with root privileges. Affected releases are Juniper Networks Junos OS 14.1X53; 14.2 prior to 14.2R6; 15.1 prior to 15.1F5, 15.1F6, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53 prior to 15.1X53-D47, 15.1X53-D70. This issue does not affect Junos 14.1 or prior releases. No other Juniper Networks products or platforms are affected by this issue. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-10602. SOLUTION: The following software releases have been updated to resolve this specific issue: 14.2R6, 15.1F5, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D47, 15.1X53-D70, 16.1R1, and all subsequent releases. This issue is being tracked as PR 1149652 and is visible on the Customer Support website. WORKAROUND: Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms with Junos OS running in a virtualized environment. (CVE-2017-2341) PRODUCT AFFECTED: This issue affects Junos OS 14.1X53, 15.1, 15.1X49, 16.1. Affected platforms: QFX5110, QFX5200, QFX10002, QFX10008, QFX10016, EX4600 and NFX250, EX4600, vSRX, SRX1500, SRX4100, SRX4200, ACX5000 series. PROBLEM: An insufficient authentication vulnerability on platforms where Junos OS instances are run in a virtualized environment, may allow unprivileged users on the Junos OS instance to gain access to the host operating environment, and thus escalate privileges. This issue only affects products or platforms where Junos OS instances are run in a virtualized environment, namely vSRX, SRX1500, SRX4100, SRX4200, QFX5110, QFX5200, QFX10002, QFX10008, QFX10016, ACX5000, EX4600 and NFX250 devices. This issue does not affect Junos OS where FIPS mode is enabled. This issue does not affect vMX. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2017-2341. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 14.1X53-D40, 15.1R5, 15.1X49-D70, 16.1R2 and all subsequent releases. This issue is being tracked as PR 1161762 and is visible on the Customer Support website. WORKAROUND: Running Junos OS in FIPS mode eliminates this vulnerability. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial release. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message (CVE-2017-2314) PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS with BGP enabled. PROBLEM: Receipt of a malformed BGP OPEN message may cause the routing protocol daemon (rpd) process to crash and restart. By continuously sending specially crafted BGP OPEN message packets, an attacker can repetitively crash the rpd process causing prolonged denial of service. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, this issue has been seen in a production network due to the BGP implementation in different vendor's device. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2017-2314. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos 12.3R12-S4, 12.3R13, 12.3R3-S4, 12.3X48-D50, 13.3R10, 13.3R4-S11, 14.1R8-S3, 14.1R9, 14.1X53-D40, 14.1X55-D35, 14.2R4-S7, 14.2R6-S4, 14.2R7, 15.1F2-S11, 15.1F4-S1-J1, 15.1F5-S3, 15.1F6, 15.1R4, 15.1X49-D100, 15.1X53-D33, 15.1X53-D50, 16.1R1, 16.2R1 and all subsequent releases. This issue is being tracked as PR 1159781 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: While there is no workaround, the risk associated with this issue can be mitigated by limiting BGP sessions only from trusted peers. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-2314: RPD crash due to malformed BGP OPEN message CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of crafted SNMP packet (CVE-2017-2345) PRODUCT AFFECTED: This issue affects Juniper Networks Junos OS 10.2 and above on all products and platforms. PROBLEM: On Junos OS devices with SNMP enabled, a network based attacker with unfiltered access to the RE can cause the Junos OS snmpd daemon to crash and restart by sending a crafted SNMP packet. Repeated crashes of the snmpd daemon can result in a partial denial of service condition. Additionally, it may be possible to craft a malicious SNMP packet in a way that can result in remote code execution. SNMP is disabled in Junos OS by default. Junos OS devices with SNMP disabled are not affected by this issue. No other Juniper Networks products or platforms are affected by this issue.Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-2345. NOTE: This is a different issue than Cisco CVE-2017-6736, CVE-2017-6737, and CVE-2017-6738. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10, 14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D44, 14.1X53-D50, 14.2R7-S7, 14.2R8, 15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100, 15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70, 16.1R3-S4, 16.1R4-S3, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1, 17.2R2, 17.3R1, and all subsequent releases. This issue is being tracked as PR 1282772 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Disable SNMP (disabled by default), utilize edge filtering with source-address validation (uRPF, etc.), SNMP access lists, and/or SNMPv3 authentication to limit access to the device only from trusted hosts. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-2345: snmpd denial of service upon receipt of crafted SNMP packet CVSS SCORE: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: Critical RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability in flowd due to crafted DHCP packet (CVE-2017-10605) PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: vSRX or SRX Series with DHCP or DHCP relay configured. PROBLEM: On all vSRX and SRX Series devices, when the DHCP or DHCP relay is configured, specially crafted packet might cause the flowd process to crash, halting or interrupting traffic from flowing through the device(s). Repeated crashes of the flowd process may constitute an extended denial of service condition for the device(s). If the device is configured in high-availability, the RG1+ (data-plane) will fail-over to the secondary node. If the device is configured in stand-alone, there will be temporary traffic interruption until the flowd process is restored automatically. Sustained crafted packets may cause the secondary failover node to fail back, or fail completely, potentially halting flowd on both nodes of the cluster or causing flip-flop failovers to occur. No other Juniper Networks products or platforms are affected by this issue. This issue only affects devices with DHCP or DHCP relay is configured. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, the issue has been seen in a production network. This issue has been assigned CVE-2017-10605. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.1x46-D67, 12.3X48-D55, 15.1X49-D91, 15.1X49-D100 and all subsequent releases. This issue is being tracked as PR 1270493 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: No published workaround exists for this issue. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-2314: RPD crash due to malformed BGP OPEN message CVSS SCORE: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - ---------- 2017-07 Security Bulletin: Junos: Buffer overflow in sockets library (CVE-2017-2344) PRODUCT AFFECTED: This issue affects Juniper Networks Junos OS on all products and platforms. PROBLEM: A routine within an internal Junos OS sockets library is vulnerable to a buffer overflow. Malicious exploitation of this issue may lead to a denial of service (kernel panic) or be leveraged as a privilege escalation through local code execution. The routines are only accessible via programs running on the device itself, and veriexec restricts arbitrary programs from running on Junos OS. There are no known exploit vectors utilizing signed binaries shipped with Junos OS itself. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-2344. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10, 14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D45, 14.1X53-D50, 14.2R7-S7, 14.2R8, 15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100, 15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70, 16.1R3-S4, 16.1R4-S3, 16.1R4-S4, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1, 17.2R2, 17.3R1, and all subsequent releases. This issue is being tracked as PR 1282562 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Limit access to the Junos CLI only from trusted hosts and administrators. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-07-12: Initial Publication RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-2344: Junos buffer overflow in sockets library CVSS SCORE: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWWbm3Ix+lLeg9Ub1AQgWgw/+NegbGrVWRHSLNQAoLw99rH9noCgKtAV8 vg+SEobd71oeWprF+sXbsmEHHM2eEDekceZPRWKdfoR6WVSimrhOgoMTrfnId9oa EPNnmAFEcwyEXVaxbK+UyKESckLjg/lBPU94h1k8dHBFG0QpDltuuJomLpnMEFiT 10V9XLP7FPsaWfgYZKi5pQ1pVVs5eWK3NlfzpJ1LHlNPqgzCKrB9hy7MkCZax6Wu tYI2v5o1EH0ViSJrqG2uS7ft0CPzs2CNH37IJ8HYHIGPbRfxRNBYZ4T9T1BGB7U9 T09+AZnYqoZJHwbAQ144ujIfK+00I/3fdlZFor6vNdvljQgCbrPFzeg+bqZQ9zss AQodXNeIs7HRWJQi9h4rIfV1SCRPWiGsNYY4MmUrYgQTgfcFW//em9lmBJGEmEzd QLllpn25qUO2sS6mvl42WPFZAKO3g5lkcFJe39D4Oc/DKFfgIdjD2uDt54mL3EhL 6vsj8Mwo87EzoHPjt0t789cScTlFoYGjVY6RvCCAeIgfBxbaYalouL93U8sxljEz vM5sQi4PmknTreXQbR6irDfiE0H4H54P8B8esknkXtQusH/aHMZmFrXtcyMn8ctF HbbVPLv74wcSkEgwsh4KPtHoGFL7CiwQmAKdS0Ek++zZ4fU+OD/1gVmtg4wEEAM0 898QHcPlok8= =6cbp -----END PGP SIGNATURE-----