Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2575 2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation (CVE-2016-5195) 12 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Multiple Products Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-5195 Reference: ASB-2016.0103 ESB-2017.1513 ESB-2017.1232 ESB-2017.0970 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10807 - --------------------------BEGIN INCLUDED TEXT-------------------- 2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation (CVE-2016-5195) PRODUCT AFFECTED: This issue affects Junos OS 14.1R, 14.1X53, 14.2R, 15.1R, 15.1F, 15.1F, 15.1X49, 15.1X53, 16.1R. Affected platforms: vRR, vMX, SRX, EX, QFX, PTX, T. This issue affects Network and Security Manager 2012.2. This issue affects CTPView 7.1R, 7.2R1, 7.3R. This issue affected Sky Advanced Threat Prevention. PROBLEM: A race condition in Linux allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. This issue is also known as "Dirty COW." Note for Junos OS in a virtualized environment: Junos OS as Host OS with virtualized Junos Guest OS's; and Junos OS non-virtualized; or Junos OS as the Host OS is not vulnerable to this issue. Customers using Junos OS as a Guest OS in a virtualized Linux-based environment such as VMWare, Wind River Linux, CentOS, Red Hat Enterprise Linux, etc. as the Host OS are advised that exploitation is not possible by default as there is no valid attack vector to exploit the vulnerability that Juniper ships with its products. The underlying Linux kernel in the Host OS may have the vulnerability present in the software packages Juniper provides. Vulnerability scanners may alert that the vulnerability is present if these virtualization packages are used. Should customers make changes to these Host OS Linux packages, customers may inadvertently expose this vulnerability to potential exploitation by an attacker. If customers require a fully-fixed version of Junos OS as Guest OS running on top of a Linux-Based Host OS, then customers should move to a fixed version as listed in the Junos OS Solutions section of the advisory. If Juniper does not provide the underlying package, customers should consult their manufacturer for guidance. Juniper SIRT is not aware of any malicious exploitation of this vulnerability on Juniper devices. However, public exploits are available for this vulnerability. This issue has been assigned CVE-2016-5195. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS: 14.1X53-D46, 15.1X49-D80, 15.1X53-D49, 15.1X53-D61, 15.1X53-D470, 16.1R3-S6, and all subsequent releases. Any products using VMWare ESXi images should refer to VMWare's VMSA VMSA-2016-0018 advisory for guidance. NSM: 2012.2R12 CentOS 6.5 Upgrade Package v3, and all subsequent releases. CTP View: 7.1R4, and 7.3R2 and subsequent releases. Sky ATP: CVE-2016-5195 was fixed on Nov 17th 2016 for the Sky ATP cloud hosted service. This issue is being tracked as PR 1227266 for Junos OS, 1226969 for CTPView, 1227267 for Sky ATP and 1227270 for NSM and are visible on the Customer Support website. WORKAROUND: There are no viable workarounds for this issue. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. NSM Maintenance Releases are available at http://support.juniper.net from the "Download Software" links. If a Maintenance Release is not adequate and access to NSM patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-5195 at cve.mitre.org https://dirtycow.ninja/ https://www.vmware.com/security/advisories/VMSA-2016-0018.html https://access.redhat.com/security/vulnerabilities/DirtyCow https://access.redhat.com/security/cve/cve-2016-5195 Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation (CVE-2016-5195) CVSS SCORE: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWd7+0ox+lLeg9Ub1AQgi0w//TPJjag1cZAZ8IEBovIOohvhO39dizTwn swKS1d1vplUVZO+wpo2FUyOMZYJl5H1JxnSFqWmkZBnBWfJFb5YFnGb4Hs3EmWqG 244gqrBojj/smm7Nro2Gxvp3H+/kZ2P2dPX0MoKGgO0uBiPZAmcUiSbFU/KJjWuP OoF+MGKSYDK7LyBY/jzcdLVUTmiV8dua6rZim78ZHltjCmyeaC+WLXMG5jq2nDQN PhyhFV5p35a98Avpum8/rinHYyzw5Au2hE3uGLumQnR2QyeUcXdgQH+fKFNofWUl KG+S0a98CJJFpJiEJa1B7BsTZabA1YfIyNM3BbD5M1WXPTyM+GOOufwMh0cxjgx/ fpCWzMEA4MynIGcOoBFzW3RATLxwFv+NwVQt1VONmx4H3T0acNp3B9BPJ5htwDtQ MOfG06A1MdMAGOiYWfMj72ujYed4lQVtV64D70LRzT+tIGBmWmiMIYFSAtr2F4If bHxvfRws2Co76fVnbA8ESEgHS1IDjrYkqBQ3HxOq0yqSBtrKdq/qZvKXhh67++V6 fyYeVxc4DwkeyLbi8XwTm178HPWBFTdiF+/zbncH+BnnATbI8cd9SDnoqODaWgT1 ow+VcV1pfc8us+/IrUcGDrL0g0X4ghiTBkRTuph3uSXIpz8D1bp/whxftodSAQhH 0fNF5BUgozw= =U/0q -----END PGP SIGNATURE-----