Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1737
2017-07 Security Bulletin: Junos OS:
13 July 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Root Compromise -- Existing Account
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-10605 CVE-2017-10604 CVE-2017-10603
CVE-2017-10602 CVE-2017-6738 CVE-2017-6737
CVE-2017-6736 CVE-2017-2345 CVE-2017-2344
CVE-2017-2341 CVE-2017-2314 CVE-2014-9425
CVE-2013-6420 CVE-2013-4113 CVE-2012-3365
Reference: ASB-2012.0105
ESB-2017.1644
ESB-2015.1818
ESB-2014.1429
ESB-2013.1784
ESB-2013.0972
Original Bulletin:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10806
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10804
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10805
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10803
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10787
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10779
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10793
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10789
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10792
Comment: This bulletin contains nine (9) Juniper Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2017-07 Security Bulletin: Junos OS: SRX Series: Cluster configuration synch
failures occur if the root user account is locked out (CVE-2017-10604)
PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX
series.
PROBLEM:
When the device is configured to perform account lockout with a defined period
of time, any unauthenticated user attempting to log in as root with an
incorrect password can trigger a lockout of the root account. When an SRX
Series device is in cluster mode, and a cluster sync or failover operation
occurs, then there will be errors associated with synch or failover while the
root account is locked out.
Administrators can confirm if the root account is locked out via the following
command
root@device> show system login lockout user root
User Lockout start Lockout end
root 1995-01-01 01:00:01 PDT 1995-11-01 01:31:01 PDT
This issue only affects devices configured to perform account lockout with a
defined period of time; e.g.:
set system services ssh root-login deny
set system login retry-options tries-before-disconnect 5
set system login retry-options minimum-time 30
set system login retry-options lockout-period 30
The root lockout feature is working as expected. It is only a problem when an
SRX Series device is in a cluster configuration mode.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2017-10604.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D65, 12.3X48-D45, 15.1X49-D75, and all subsequent releases.
NOTE: Future SRX-Series releases above 15.1X49 Top of Tree from Junos OS
17.2R1 onward have been proactively resolved.
This issue is being tracked as PR 1222250 and is visible on the Customer
Support website.
WORKAROUND:
The lockout feature does not impact console access for the root account.
Administrators may login via console, and block the offending incoming traffic
which is causing the root account from being locked out via SSH connection
attempts to restore cluster sync services from erroring or failing.
Administrators may block the offending SSH traffic from an upstream device.
Use access lists or firewall filters to limit access to the device only from
trusted administrative hosts, networks and users.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVSS SCORE:
5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
RISK LEVEL:
Medium
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos OS: J-Web: Multiple Vulnerabilities in PHP
software
PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.1X47, 12.3, 12.3X48, 14.2, 15.1,
15.1X49.
PROBLEM:
PHP software included with Junos OS J-Web is updated to resolve the following
issues:
CVE CVSS v2 base score Summary
CVE-2013-6420 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The asn1_time_to_time_t
function in ext/openssl/openssl.c in PHP does not properly parse (1) notBefore
and (2) notAfter timestamps in X.509 certificates, which allows remote
attackers to execute arbitrary code or cause a denial of service (memory
corruption) via a crafted certificate that is not properly handled by the
openssl_x509_parse function.
CVE-2014-9425 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Double free vulnerability in
the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend
Engine in PHP allows remote attackers to cause a denial of service or possibly
have unspecified other impact via unknown vectors.
CVE-2013-4113 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) ext/xml/xml.c in PHP does not
properly consider parsing depth, which allows remote attackers to cause a
denial of service (heap memory corruption) or possibly have unspecified other
impact via a crafted document that is processed by the xml_parse_into_struct
function.
CVE-2012-3365 5 (AV:N/AC:L/Au:N/C:N/I:P/A:N) The SQLite functionality in PHP
allows remote attackers to bypass the open_basedir protection mechanism via
unspecified vectors.
Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D65,
12.1X47 prior to 12.1X47-D40, 12.1X47-D45; 12.3 prior to 12.3R12-S5; 12.3X48
prior to 12.3X48-D35; 14.2 prior to 14.2R8; 15.1 prior to 15.1R4; 15.1X49
prior to 15.1X49-D50.
These issues affect devices with J-Web enabled.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 12.1X46-D65, 12.1X47-D40, 12.1X47-D45, 12.3R12-S5, 12.3X48-D35, 14.2R8,
15.1R4, 15.1X49-D50, 16.1R1, 16.1R1, 16.1R2, and all subsequent releases.
This issue is being tracked as PR 1157572 and is visible on the Customer
Support website.
WORKAROUND:
Methods which may reduce, but not eliminate, the risk for exploitation of this
problem, and which does not mitigate or resolve the underlying problem
include:
o Using access lists or firewall filters to limit access to the device only
from trusted hosts.
o Disabling J-Web
o Limit access to J-Web from only trusted networks
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVSS SCORE:
7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos OS: Local XML Injection through CLI command
can lead to privilege escalation (CVE-2017-10603)
PRODUCT AFFECTED:
This issue affects Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47;
15.1 prior to 15.1R3.
PROBLEM:
An XML injection vulnerability in Junos OS CLI can allow a locally
authenticated user to elevate privileges and run arbitrary commands as the
root user.
This issue was found during internal product security testing.
Affected releases are Juniper Networks Junos OS 15.1X53 prior to 15.1X53-D47,
15.1 prior to 15.1R3.
Junos versions prior to 15.1 are not affected. No other Juniper Networks
products or platforms are affected by this issue.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2017-10603.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 15.1X53-D47, 15.1R3, and all subsequent releases.
This issue is being tracked as PR 1091037 and is visible on the Customer
Support website.
WORKAROUND:
There is no direct workaround to completely eliminate the risk of this
vulnerability.
Use access lists or firewall filters to limit access to the router's CLI only
from trusted hosts. Restrict access to the CLI to only highly trusted
administrators.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVSS SCORE:
7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos OS: buffer overflow vulnerability in Junos
CLI (CVE-2017-10602)
PRODUCT AFFECTED:
This issue affects Junos OS 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53.
PROBLEM:
A buffer overflow vulnerability in Junos OS CLI may allow a local
authenticated user with read only privileges and access to Junos CLI, to
execute code with root privileges.
Affected releases are Juniper Networks Junos OS 14.1X53; 14.2 prior to 14.2R6;
15.1 prior to 15.1F5, 15.1F6, 15.1R3; 15.1X49 prior to 15.1X49-D40; 15.1X53
prior to 15.1X53-D47, 15.1X53-D70.
This issue does not affect Junos 14.1 or prior releases.
No other Juniper Networks products or platforms are affected by this issue.
This issue was found during internal product security testing. Juniper SIRT is
not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2017-10602.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: 14.2R6, 15.1F5, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D47, 15.1X53-D70,
16.1R1, and all subsequent releases.
This issue is being tracked as PR 1149652 and is visible on the Customer
Support website.
WORKAROUND:
Use access lists or firewall filters to limit access to the router's CLI only
from trusted hosts. Restrict access to the CLI to only highly trusted
administrators.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVSS SCORE:
7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos: VM to host privilege escalation in platforms
with Junos OS running in a virtualized environment. (CVE-2017-2341)
PRODUCT AFFECTED:
This issue affects Junos OS 14.1X53, 15.1, 15.1X49, 16.1. Affected platforms:
QFX5110, QFX5200, QFX10002, QFX10008, QFX10016, EX4600 and NFX250, EX4600,
vSRX, SRX1500, SRX4100, SRX4200, ACX5000 series.
PROBLEM:
An insufficient authentication vulnerability on platforms where Junos OS
instances are run in a virtualized environment, may allow unprivileged users
on the Junos OS instance to gain access to the host operating environment, and
thus escalate privileges.
This issue only affects products or platforms where Junos OS instances are run
in a virtualized environment, namely vSRX, SRX1500, SRX4100, SRX4200, QFX5110,
QFX5200, QFX10002, QFX10008, QFX10016, ACX5000, EX4600 and NFX250 devices.
This issue does not affect Junos OS where FIPS mode is enabled.
This issue does not affect vMX.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2017-2341.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 14.1X53-D40, 15.1R5, 15.1X49-D70, 16.1R2 and all subsequent
releases.
This issue is being tracked as PR 1161762 and is visible on the Customer
Support website.
WORKAROUND:
Running Junos OS in FIPS mode eliminates this vulnerability.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial release.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVSS SCORE:
8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos: RPD crash due to malformed BGP OPEN message
(CVE-2017-2314)
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS with BGP
enabled.
PROBLEM:
Receipt of a malformed BGP OPEN message may cause the routing protocol daemon
(rpd) process to crash and restart. By continuously sending specially crafted
BGP OPEN message packets, an attacker can repetitively crash the rpd process
causing prolonged denial of service.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, this issue has been seen in a production network due to the BGP
implementation in different vendor's device.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2017-2314.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos 12.3R12-S4, 12.3R13, 12.3R3-S4, 12.3X48-D50, 13.3R10, 13.3R4-S11,
14.1R8-S3, 14.1R9, 14.1X53-D40, 14.1X55-D35, 14.2R4-S7, 14.2R6-S4, 14.2R7,
15.1F2-S11, 15.1F4-S1-J1, 15.1F5-S3, 15.1F6, 15.1R4, 15.1X49-D100,
15.1X53-D33, 15.1X53-D50, 16.1R1, 16.2R1 and all subsequent releases.
This issue is being tracked as PR 1159781 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
While there is no workaround, the risk associated with this issue can be
mitigated by limiting BGP sessions only from trusted peers.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2017-2314: RPD crash due to malformed BGP OPEN message
CVSS SCORE:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos: snmpd denial of service upon receipt of
crafted SNMP packet (CVE-2017-2345)
PRODUCT AFFECTED:
This issue affects Juniper Networks Junos OS 10.2 and above on all products
and platforms.
PROBLEM:
On Junos OS devices with SNMP enabled, a network based attacker with
unfiltered access to the RE can cause the Junos OS snmpd daemon to crash and
restart by sending a crafted SNMP packet. Repeated crashes of the snmpd daemon
can result in a partial denial of service condition. Additionally, it may be
possible to craft a malicious SNMP packet in a way that can result in remote
code execution.
SNMP is disabled in Junos OS by default. Junos OS devices with SNMP disabled
are not affected by this issue.
No other Juniper Networks products or platforms are affected by this
issue.Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue has been assigned CVE-2017-2345.
NOTE: This is a different issue than Cisco CVE-2017-6736, CVE-2017-6737, and
CVE-2017-6738.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10,
14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D44, 14.1X53-D50, 14.2R7-S7, 14.2R8,
15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100,
15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70,
16.1R3-S4, 16.1R4-S3, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1, 17.2R2,
17.3R1, and all subsequent releases.
This issue is being tracked as PR 1282772 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Disable SNMP (disabled by default), utilize edge filtering with source-address
validation (uRPF, etc.), SNMP access lists, and/or SNMPv3 authentication to
limit access to the device only from trusted hosts.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2017-2345: snmpd denial of service upon receipt of crafted SNMP packet
CVSS SCORE:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL:
Critical
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos: SRX Series denial of service vulnerability
in flowd due to crafted DHCP packet (CVE-2017-10605)
PRODUCT AFFECTED:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms:
vSRX or SRX Series with DHCP or DHCP relay configured.
PROBLEM:
On all vSRX and SRX Series devices, when the DHCP or DHCP relay is configured,
specially crafted packet might cause the flowd process to crash, halting or
interrupting traffic from flowing through the device(s).
Repeated crashes of the flowd process may constitute an extended denial of
service condition for the device(s).
If the device is configured in high-availability, the RG1+ (data-plane) will
fail-over to the secondary node.
If the device is configured in stand-alone, there will be temporary traffic
interruption until the flowd process is restored automatically.
Sustained crafted packets may cause the secondary failover node to fail back,
or fail completely, potentially halting flowd on both nodes of the cluster or
causing flip-flop failovers to occur.
No other Juniper Networks products or platforms are affected by this issue.
This issue only affects devices with DHCP or DHCP relay is configured.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability,
however, the issue has been seen in a production network.
This issue has been assigned CVE-2017-10605.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1x46-D67, 12.3X48-D55, 15.1X49-D91, 15.1X49-D100 and all
subsequent releases.
This issue is being tracked as PR 1270493 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
No published workaround exists for this issue.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2017-2314: RPD crash due to malformed BGP OPEN message
CVSS SCORE:
8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- ----------
2017-07 Security Bulletin: Junos: Buffer overflow in sockets library
(CVE-2017-2344)
PRODUCT AFFECTED:
This issue affects Juniper Networks Junos OS on all products and platforms.
PROBLEM:
A routine within an internal Junos OS sockets library is vulnerable to a
buffer overflow. Malicious exploitation of this issue may lead to a denial of
service (kernel panic) or be leveraged as a privilege escalation through local
code execution. The routines are only accessible via programs running on the
device itself, and veriexec restricts arbitrary programs from running on Junos
OS. There are no known exploit vectors utilizing signed binaries shipped with
Junos OS itself.
No other Juniper Networks products or platforms are affected by this issue.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue has been assigned CVE-2017-2344.
SOLUTION:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X46-D67, 12.3X48-D51, 12.3X48-D55, 13.3R10-S2, 14.1R2-S10,
14.1R8-S4, 14.1R9, 14.1X53-D122, 14.1X53-D45, 14.1X53-D50, 14.2R7-S7, 14.2R8,
15.1F2-S18, 15.1F6-S7, 15.1R4-S8, 15.1R5-S5, 15.1R6-S1, 15.1R7, 15.1X49-D100,
15.1X53-D231, 15.1X53-D47, 15.1X53-D48, 15.1X53-D57, 15.1X53-D64, 15.1X53-D70,
16.1R3-S4, 16.1R4-S3, 16.1R4-S4, 16.1R5, 16.2R2, 17.1R1-S3, 17.1R2, 17.2R1-S1,
17.2R2, 17.3R1, and all subsequent releases.
This issue is being tracked as PR 1282562 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Limit access to the Junos CLI only from trusted hosts and administrators.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
MODIFICATION HISTORY:
2017-07-12: Initial Publication
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2017-2344: Junos buffer overflow in sockets library
CVSS SCORE:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWWbm3Ix+lLeg9Ub1AQgWgw/+NegbGrVWRHSLNQAoLw99rH9noCgKtAV8
vg+SEobd71oeWprF+sXbsmEHHM2eEDekceZPRWKdfoR6WVSimrhOgoMTrfnId9oa
EPNnmAFEcwyEXVaxbK+UyKESckLjg/lBPU94h1k8dHBFG0QpDltuuJomLpnMEFiT
10V9XLP7FPsaWfgYZKi5pQ1pVVs5eWK3NlfzpJ1LHlNPqgzCKrB9hy7MkCZax6Wu
tYI2v5o1EH0ViSJrqG2uS7ft0CPzs2CNH37IJ8HYHIGPbRfxRNBYZ4T9T1BGB7U9
T09+AZnYqoZJHwbAQ144ujIfK+00I/3fdlZFor6vNdvljQgCbrPFzeg+bqZQ9zss
AQodXNeIs7HRWJQi9h4rIfV1SCRPWiGsNYY4MmUrYgQTgfcFW//em9lmBJGEmEzd
QLllpn25qUO2sS6mvl42WPFZAKO3g5lkcFJe39D4Oc/DKFfgIdjD2uDt54mL3EhL
6vsj8Mwo87EzoHPjt0t789cScTlFoYGjVY6RvCCAeIgfBxbaYalouL93U8sxljEz
vM5sQi4PmknTreXQbR6irDfiE0H4H54P8B8esknkXtQusH/aHMZmFrXtcyMn8ctF
HbbVPLv74wcSkEgwsh4KPtHoGFL7CiwQmAKdS0Ek++zZ4fU+OD/1gVmtg4wEEAM0
898QHcPlok8=
=6cbp
-----END PGP SIGNATURE-----