Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3082
2018-10 Security Bulletin: Junos OS: Multiple Vulnerabilities
11 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Root Compromise -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-0052 CVE-2018-0051 CVE-2018-0050
CVE-2018-0049 CVE-2018-0048 CVE-2018-0045
CVE-2018-0043
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10879
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10882
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10883
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10884
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10885
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10886
Comment: This bulletin contains seven (7) security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2018-10 Security Bulletin: Junos OS: RPD daemon crashes upon
receipt of specific MPLS packet (CVE-2018-0043)
[JSA10877]
Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1F6, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1, 17.2,
17.2X75, 17.3, 17.4.
Problem:
Receipt of a specific MPLS packet may cause the routing protocol
daemon (RPD) process to crash and restart or may lead to remote
code execution.
By continuously sending specific MPLS packets, an attacker can
repeatedly crash the RPD process causing a sustained Denial of
Service.
This issue affects both IPv4 and IPv6.
This issue can only be exploited from within the MPLS domain.
End-users connected to the CE device cannot cause this crash.
Affected releases are Juniper Networks Junos OS:
o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
o 12.3 versions prior to 12.3R12-S10;
o 12.3X48 versions prior to 12.3X48-D75 on SRX Series;
o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series;
o 14.1X53 versions prior to 14.1X53-D130 on QFabric Series;
o 15.1F6 versions prior to 15.1F6-S10;
o 15.1 versions prior to 15.1R4-S9 15.1R7;
o 15.1X49 versions prior to 15.1X49-D140 on SRX Series;
o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
Series;
o 15.1X53 versions prior to 15.1X53-D471 15.1X53-D490 on NFX
Series;
o 16.1 versions prior to 16.1R3-S8 16.1R4-S8 16.1R5-S4 16.1R6-S4
16.1R7;
o 16.1X65 versions prior to 16.1X65-D48;
o 16.2 versions prior to 16.2R1-S6 16.2R3;
o 17.1 versions prior to 17.1R1-S7 17.1R2-S6 17.1R3;
o 17.2 versions prior to 17.2R1-S6 17.2R2-S3 17.2R3;
o 17.2X75 versions prior to 17.2X75-D100 17.2X75-D42
17.2X75-D91;
o 17.3 versions prior to 17.3R1-S4 17.3R2-S2 17.3R3;
o 17.4 versions prior to 17.4R1-S3 17.4R2 .
This issue may occurs when the Junos OS device is configured with:
[protocols mpls interface]
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was seen during production usage.
No other Juniper Networks products or platforms are affected by
this issue.
This issue has been assigned CVE-2018-0043.
Solution:
The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75,
14.1X53-D130, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9, 15.1R7,
15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490,
15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S8, 16.1R5-S4,
16.1R6-S4, 16.1R7, 16.1X65-D48, 16.2R1-S6, 16.2R2-S6, 16.2R3,
17.1R1-S7, 17.1R2-S6, 17.1R3, 17.2R1-S6, 17.2R2-S3, 17.2R3,
17.2X75-D100, 17.2X75-D42, 17.2X75-D91, 17.3R1-S4, 17.3R2-S2,
17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5 and all
subsequent releases.
This issue is being tracked as PR 1328058 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for this issue.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Security Vulnerability - How to Contact the Juniper
Networks Security Incident Response Team
o CVE-2018-0043 at cve.mitre.org
o https://kb.juniper.net/JSA10877
CVSS Score:
8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
===============================================================================
2018-10 Security Bulletin: Junos OS: RPD daemon crashes due to
receipt of specific Draft-Rosen MVPN control packet in Draft-Rosen
MVPN configuration (CVE-2018-0045)
[JSA10879]
Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 15.1, 15.1F6,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1.
Problem:
Receipt of a specific Draft-Rosen MVPN control packet may cause
the routing protocol daemon (RPD) process to crash and restart or
may lead to remote code execution. By continuously sending the
same specific Draft-Rosen MVPN control packet, an attacker can
repeatedly crash the RPD process causing a prolonged denial of
service.
This issue may occur when the Junos OS device is configured for
Draft-Rosen multicast virtual private network (MVPN). The VPN is
multicast-enabled and configured to use Protocol Independent
Multicast (PIM) protocol within the VPN.
This issue can only be exploited from the PE device within the
MPLS domain which is capable of forwarding IP multicast traffic in
core.
End-users connected to the CE device cannot cause this crash.
Affected releases are Juniper Networks Junos OS:
o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
o 12.3 versions prior to 12.3R12-S10;
o 12.3X48 versions prior to 12.3X48-D70 on SRX Series;
o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
o 15.1F6;
o 15.1X49 versions prior to 15.1X49-D140 on SRX Series;
o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
Series;
o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX
Series;
o 16.1 versions prior to 16.1R4-S9, 16.1R5-S4, 16.1R6-S3,
16.1R7;
o 16.2 versions prior to 16.2R1-S6, 16.2R2-S6, 16.2R3;
o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
o 17.2 versions prior to 17.2R2-S4, 17.2R3;
o 17.3 versions prior to 17.3R2-S2, 17.3R3;
o 17.4 versions prior to 17.4R1-S3, 17.4R2;
o 18.1 versions prior to 18.1R2.
This issue may occurs when the Junos OS device is configured with:
[routing-instances <name> protocols pim mvpn]
[routing-instances <name> provider-tunnel pim-*]
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was seen during production usage.
No other Juniper Networks products or platforms are affected by
this issue.
This issue has been assigned CVE-2018-0045.
Solution:
The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 15.1R4-S9,
15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471,
15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R5-S4,
16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S6, 16.2R3, 17.1R1-S7,
17.1R2-S7, 17.1R3, 17.2R2-S4, 17.2R3, 17.3R2-S2, 17.3R3,
17.4R1-S3, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5 and all subsequent
releases.
This issue is being tracked as PR 1339567 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for this issue.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Security Vulnerability - How to Contact the Juniper
Networks Security Incident Response Team
o CVE-2018-0045 at cve.mitre.org
o https://kb.juniper.net/JSA10879
CVSS Score:
8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
===============================================================================
2018-10 Security Bulletin: Junos OS: Memory exhaustion denial of
service vulnerability in Routing Protocols Daemon (RPD) with
Juniper Extension Toolkit (JET) support (CVE-2018-0048)
[JSA10882]
Product Affected:
This issue affects Junos OS 17.2, 17.2X75, 17.3, 17.4, 18.1.
Problem:
A vulnerability in the Routing Protocols Daemon (RPD) with Juniper
Extension Toolkit (JET) support can allow a network based
unauthenticated attacker to cause a severe memory exhaustion
condition on the device. This can have an adverse impact on the
system performance and availability.
This issue only affects devices with JET support running Junos OS
17.2R1 and subsequent releases. Other versions of Junos OS are
unaffected by this vulnerability.
Affected releases are Juniper Networks Junos OS:
o 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3;
o 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110;
o 17.3 versions prior to 17.3R2-S4, 17.3R3;
o 17.4 versions prior to 17.4R1-S5, 17.4R2;
o 18.1 versions prior to 18.1R2-S3, 18.1R3.
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was found during internal product security testing or
research.
This issue has been assigned CVE-2018-0048.
Solution:
The following software releases have been updated to resolve this
specific issue: 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D102,
17.2X75-D110, 17.3R2-S4, 17.3R3, 17.4R1-S5, 17.4R2, 18.1R2-S3,
18.1R3, 18.2R1, 18.2X75-D10, 18.3R1, and all subsequent releases.
This issue is being tracked as PR 1344177 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
There are no viable workarounds for this issue.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Monthly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."
===============================================================================
2018-10 Security Bulletin: Junos OS: Receipt of a specifically
crafted malicious MPLS packet leads to a Junos kernel crash
(CVE-2018-0049)
[JSA10883]
Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4,
18.1, 18.2, 18.2X75.
Problem:
A NULL Pointer Dereference vulnerability in Juniper Networks Junos
OS allows an attacker to cause the Junos OS kernel to crash. A
single packet received by the target victim will cause a Denial of
Service condition. Continued receipt of this specifically crafted
malicious MPLS packet will cause a sustained Denial of Service
condition.
This issue require it to be received on an interface configured to
receive this type of traffic.
Affected releases are Juniper Networks Junos OS:
o 12.1X46 versions above and including 12.1X46-D76 prior to
12.1X46-D81 on SRX Series;
o 12.3R12-S10;
o 12.3X48 versions above and including 12.3X48-D66 prior to
12.3X48-D75 on SRX Series;
o 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300,
EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600,
QFX5100;
o 14.1X53 versions above and including 14.1X53-D115 prior to
14.1X53-D130 on QFabric System;
o 15.1 versions above and including 15.1F6-S10;
o 15.1R4-S9;
o 15.1R6-S6;
o 15.1 versions above and including 15.1R7 prior to 15.1R7-S2;
o 15.1X49 versions above and including 15.1X49-D131 prior to
15.1X49-D150 on SRX100, SRX110, SRX210, SRX220, SRX240m,
SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500,
SRX4100, SRX4200, SRX4600 and vSRX;
o 15.1X53 versions above 15.1X53-D233 prior to 15.1X53-D235 on
QFX5200/QFX5110;
o 15.1X53 versions up to and including 15.1X53-D471 prior to
15.1X53-D590 on NFX150, NFX250;
o 15.1X53-D67 on QFX10000 Series;
o 15.1X53-D59 on EX2300/EX3400;
o 16.1 versions above and including 16.1R3-S8;
o 16.1 versions above and including 16.1R4-S9 prior to
16.1R4-S12;
o 16.1 versions above and including 16.1R5-S4;
o 16.1 versions above and including 16.1R6-S3 prior to
16.1R6-S6;
o 16.1 versions above and including 16.1R7 prior to 16.1R7-S2;
o 16.2 versions above and including 16.2R1-S6;
o 16.2 versions above and including 16.2R2-S5 prior to
16.2R2-S7;
o 17.1R1-S7;
o 17.1 versions above and including 17.1R2-S7 prior to
17.1R2-S9;
o 17.2R1-S6;
o 17.2 versions above and including 17.2R2-S4 prior to
17.2R2-S6;
o 17.2X75 versions above and including 17.2X75-D100 prior to
X17.2X75-D101, 17.2X75-D110;
o 17.3 versions above and including 17.3R1-S4 on All non-SRX
Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m
SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100,
SRX4200, SRX4600 and vSRX;
o 17.3 versions above and including 17.3R2-S2 prior to 17.3R2-S4
on All non-SRX Series and SRX100, SRX110, SRX210, SRX220,
SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345,
SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 17.3R3 on All non-SRX Series and SRX100, SRX110, SRX210,
SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 17.4 versions above and including 17.4R1-S3 prior to 17.4R1-S5
on All non-SRX Series and SRX100, SRX110, SRX210, SRX220,
SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345,
SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 17.4R2 on All non-SRX Series and SRX100, SRX110, SRX210,
SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 18.1 versions above and including 18.1R2 prior to 18.1R2-S3,
18.1R3 on All non-SRX Series and SRX100, SRX110, SRX210,
SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340,
SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 18.2 versions above and including 18.2R1 prior to 18.2R1-S2,
18.2R1-S3, 18.2R2 on All non-SRX Series and SRX100, SRX110,
SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320,
SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX;
o 18.2X75 versions above and including 18.2X75-D5 prior to
18.2X75-D20.
The following minimal protocols configuration is required:
[protocols mpls interface]
Juniper SIRT is aware of possible malicious network probing which
may have triggered this issue, but not aware of any malicious
exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2018-0049.
Solution:
The following software releases have been updated to resolve this
specific issue: 12.1X46-D81, 12.3R12-S11, 12.3X48-D75,
14.1X53-D130, 14.1X53-D48, 15.1R7-S2, 15.1X49-D150, 15.1X53-D235,
15.1X53-D495, 15.1X53-D68, 15.1X53-D590, 16.1R4-S12, 16.1R6-S6,
16.1R7-S2, 16.1X65-D48, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3,
17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D101, 17.2X75-D110,
17.3R2-S4, 17.3R3-S1, 17.3R4, 17.4R1-S5, 17.4R2-S1, 17.4R3,
18.1R2-S3, 18.1R3, 18.2R1-S2, 18.2R1-S3, 18.2R2, 18.2X75-D20,
18.3R1, and all subsequent releases.
Additionally, the following software releases have been
re-released to the Juniper download pages to resolve this specific
issue:
12.1X46-D76.1, 12.3X48-D70.4, 14.1X53-D47.6, 15.1F6-S10.11,
15.1R6-S6.2, 15.1R7.9, 15.1X49-D140.3, 15.1X53-D233.2,
15.1X53-D59.4, 15.1X53-D67.6, 16.1R6-S3.2, 16.1R7-S1.2, 16.1R7.8,
17.2X75-D100.6, 17.3R2-S2.2, 17.3R3.10, 17.4R1-S3.4, 18.1R2.6.
Note: The final ".xy" numeric entry, for example the .4 in
12.3X48-D70.4, on a release in this notice is the respin release
number. Customer's should check the respin release number on the
version of Junos OS to confirm vulnerability.
This issue is being tracked as PR 1380862 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
The following table is designed to assist with identifying a fix
path for your product. Each product has multiple potential fix
paths. First, there is the updated release of Junos. If you are
using an affected release of Junos that is listed in the Updated
column, the only change to the updated release is PR 1380862.
Second, there is the next fixed in release location which contains
at least PR 1380862, and other fixes, and potentially feature
additions. Third, there are certain releases which are
proactively fixed and those are called out. These proactively
fixed releases were never exposed to this issue. Not all affected
release trains have fixes. In those instances, customers should
either Update to a reissued release, or upgrade to a fixed in
release listed in the table below. For additional configuration,
update and upgrade assistance, please contact your account
manager, or JTAC for assistance.
Product and Fixed and
platforms Affected releases reissued Junos Fixed in
release
12.3 (all = 12.3R12-S10 None >= 12.3R12-S11
platforms)
12.1X46 (SRX >= 12.1X46-D76 and
Branch < 12.1X46-D81 12.1X46-D76.1 >= 12.1X46-D81
Series*)
12.3X48 (SRX >= 12.3X48-D66 and
Branch < 12.3X48-D75 12.3X48-D70.4 >= 12.3X48-D75
Series*)
14.1X53 (EX
and QFX = 14.1X53-D47 14.1X53-D47.6 >= 14.1X53-D48
Series)
14.1X53 >= 14.1X53-D115 and >=
(QFabric < 14.1X53-D130 None 14.1X53-D130
System)
>= 15.1F6-S10 15.1F6-S10.11 None
15.1 (all >= 15.1R4-S9 None None
platforms) >= 15.1R6-S6 15.1R6-S6.2 None
>= 15.1R7 and 15.1R7.9 >= 15.1R7-S2
< 15.1R7-S2
15.1X49 (SRX >= 15.1X49-D131 and >=
Branch < 15.1X49-D150 15.1X49-D140.3 15.1X49-D150
Series*)
15.1X53 >= 15.1X53-D233 and >=
(QFX5200/ < 15.1X53-D235 15.1X53-D233.2 15.1X53-D235
QFX5110)
15.1X53 >= 15.1X53-D471 and >=
(NFX150, < 15.1X53-D495 None 15.1X53-D495
NFX250)
15.1X53
(QFX10000 = 15.1X53-D67 15.1X53-D67.6 >= 15.1X53-D68
Series)
15.1X53 >= 15.1X53-D59 and >=
(EX2300/ < 15.1X53-D590 15.1X53-D59.4 15.1X53-D590
EX3400)
>= 16.1R3-S8 None None
>= 16.1R4-S9 and None >= 16.1R4-S12
< 16.1R4-S12
16.1 (all >= 16.1R5-S4 None None
platforms) >= 16.1R6-S3 and 16.1R6-S3.2 >= 16.1R6-S6
< 16.1R6-S6
>= 16.1R7 and 16.1R7.8 and >= 16.1R7-S2
< 16.1R7-S2 16.1R7-S1.2
16.1X65 >= 16.1X65-D48
(PTX1000 Not affected Not affected (proactive
Series) fix)
>= 16.2R1-S6 None None
16.2 (all >= 16.2R2-S5 and >= 16.2R2-S7
platforms) < 16.2R2-S7 None and
>= 16.2R3
>= 17.1R1-S7 None None
17.1 (all >= 17.1R2-S7 and >= 17.1R2-S9
platforms) < 17.1R2-S9 None and
>= 17.1R3
>= 17.2R1-S7
= 17.2R1-S6 None and
17.2 (all >= 17.2R3
platforms) >= 17.2R2-S4 and >= 17.2R2-S6
< 17.2R2-S6 None and
>= 17.2R3
>=
17.2X75-D101
17.2X75 = 17.2X75-D100 17.2X75-D100.6 and
>=
17.2X75-D110
>= 17.3R1-S4 None None
17.3 (all >= 17.3R2-S2 and 17.3R2-S2.2 >= 17.3R2-S4
platforms) See < 17.3R2-S4. and
Note-1 = 17.3R3 17.3R3.10 >= 17.3R3-S1
and
>= 17.4R1-S3 and >= 17.4R1-S5
< 17.4R1-S5 17.4R1-S3.4 and
17.4 (all >= 17.4R3
platforms) >= 17.4R2-S1
= 17.4R2 None and
>= 17.4R3
18.1 (all >= 18.1R2 and >= 18.1R2-S3
platforms) < either 18.1R2-S3, 18.1R2.6 and
or 18.1R3 >= 18.1R3
18.2 (all >= 18.2R1 and < >= 18.2R1-S2
platforms) either 18.2R1-S2, or None and
18.2R2 >= 18.2R2
18.2X75 >= 18.2X75-D5 and None >= 18.2X75-D20
< 18.2X75-D20
* SRX Branch Series devices include SRX100, SRX110, SRX210,
SRX220, SRX240m, SRX550m, SRX650, SRX300, SRX320, SRX340, SRX345,
SRX1500, SRX4100, SRX4200, SRX4600 and vSRX.
Note-1: From 17.3R1 onward, It is suggested that customers using
releases of Junos on SRX should consider transitioning to
17.4R2-S1, or subsequent releases.
Workaround:
Remove MPLS configuration stanza from interfaces at risk.
There are no other available workarounds for this issue.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Security Vulnerability - How to Contact the Juniper
Networks Security Incident Response Team
o CVE-2018-0049 at cve.mitre.org
o Understanding Junos release numbering
o JUNOS Software updates due to JSA10883
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."
===============================================================================
2018-10 Security Bulletin: Junos OS: Receipt of a malformed MPLS
RSVP packet leads to a Routing Protocols Daemon (RPD) crash
(CVE-2018-0050)
[JSA10884]
Product Affected:
This issue affects Junos OS 14.1, 14.1X53, 14.2.
Problem:
An error handling vulnerability in Routing Protocols Daemon (RPD)
of Juniper Networks Junos OS allows an attacker to cause RPD to
crash. Continued receipt of this malformed MPLS RSVP packet will
cause a sustained Denial of Service condition.
Affected releases are Juniper Networks Junos OS:
o 14.1 versions prior to 14.1R8-S5, 14.1R9;
o 14.1X53 versions prior to 14.1X53-D48 on QFX Switching;
o 14.2 versions prior to 14.1X53-D130 on QFabric System;
o 14.2 versions prior to 14.2R4.
This issue does not affect versions of Junos OS before 14.1R1.
Junos OS RSVP only supports IPv4. IPv6 is not affected by this
issue.
This issue require it to be received on an interface configured to
receive this type of traffic.
The following minimal protocols configurations are required:
[protocols rsvp]
[protocols mpls interface]
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was found during internal product security testing or
research.
This issue has been assigned CVE-2018-0050.
Solution:
The following software releases have been updated to resolve this
specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D130, 14.1X53-D48,
14.2R4, 15.1R1, and all subsequent releases.
This issue is being tracked as PR 1087100 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
Remove MPLS configuration stanzas from interface configurations
that are at risk.
No other workarounds exist for this issue.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Security Vulnerability - How to Contact the Juniper
Networks Security Incident Response Team
o CVE-2018-0050 at cve.mitre.org
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."
===============================================================================
2018-10 Security Bulletin: Junos OS: Denial of Service
vulnerability in MS-PIC, MS-MIC, MS-MPC, MS-DPC and SRX flow
daemon (flowd) related to SIP ALG (CVE-2018-0051)
[JSA10885]
Product Affected:
This issue affects Junos OS 12.1X46, 12.3X48, 15.1, 15.1F6,
15.1X49, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4.
Problem:
A Denial of Service vulnerability in the SIP application layer
gateway (ALG) component of Junos OS based platforms allows an
attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow
daemon (flowd) process.
This issue affects Junos OS devices with NAT or stateful firewall
configuration in combination with the SIP ALG enabled.
SIP ALG is enabled by default on SRX Series devices except for
SRX-HE devices. SRX-HE devices have SIP ALG disabled by default.
The status of ALGs in SRX device can be obtained by executing the
command:
show security alg status
Affected releases are Juniper Networks Junos OS:
o 12.1X46 versions prior to 12.1X46-D77;
o 12.3X48 versions prior to 12.3X48-D70;
o 15.1X49 versions prior to 15.1X49-D140;
o 15.1 versions prior to 15.1R4-S9, 15.1R7-S1;
o 15.1F6;
o 16.1 versions prior to 16.1R4-S9, 16.1R6-S1, 16.1R7;
o 16.2 versions prior to 16.2R2-S7, 16.2R3;
o 17.1 versions prior to 17.1R2-S7, 17.1R3;
o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
o 17.3 versions prior to 17.3R1-S5, 17.3R2-S2, 17.3R3;
o 17.4 versions prior to 17.4R2.
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was seen during production usage.
No other Juniper Networks products or platforms are affected by
this issue.
This issue has been assigned CVE-2018-0051.
Solution:
The following software releases have been updated to resolve these
specific issues: 12.1X46-D77, 12.3X48-D70, 12.3X48-D75,
14.1X53-D47, 15.1R4-S9, 15.1R7-S1, 15.1X49-D140, 15.1X53-D471,
15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R6-S1,
16.1R7, 16.2R2-S7, 16.2R3, 17.1R2-S7, 17.1R3, 17.2R1-S6,
17.2R2-S4, 17.2R3, 17.3R1-S5, 17.3R2-S2, 17.3R3, 17.4R2, 18.1R1,
18.1X75-D10, 18.2R1, 18.2X75-D5, and all subsequent releases.
This fix has also been proactively committed into other releases
that might not support SIP ALG configuration.
This issue is being tracked as PR 1326394 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
Disable the use of the SIP ALG feature if it is not needed.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Security Vulnerability - How to Contact the Juniper
Networks Security Incident Response Team
o CVE-2018-0051 at cve.mitre.org
o https://kb.juniper.net/JSA10885
CVSS Score:
7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
===============================================================================
2018-10 Security Bulletin: Junos OS: Unauthenticated remote root
access possible when RSH service is enabled (CVE-2018-0052)
[JSA10886]
Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4,
18.2X75.
Problem:
If RSH service is enabled on Junos OS and if the PAM
authentication is disabled, a remote unauthenticated attacker can
obtain root access to the device.
RSH service is disabled by default on Junos. There is no
documented CLI command to enable this service. However, an
undocumented CLI command allows a privileged Junos user to enable
RSH service and disable PAM, and hence expose the system to
unauthenticated root access.
When RSH is enabled, the device is listing to RSH connections on
port 514.
This issue is not exploitable on platforms where Junos release is
based on FreeBSD 10+. Please see https://www.juniper.net/
documentation/en_US/junos/topics/topic-map/
junos-kernel-freebsd-upgraded.html for a list of platforms and
Junos Releases that are based in FreeBSD 10 or later.
Affected releases are Juniper Networks Junos OS:
o 12.1X46 versions prior to 12.1X46-D77 on SRX Series;
o 12.3 versions prior to 12.3R12-S10;
o 12.3X48 versions prior to 12.3X48-D75 on SRX Series;
o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series;
o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7;
o 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX
Series;
o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series;
o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series;
o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110
Series;
o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX
Series;
o 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4,
16.1R6-S4, 16.1R7;
o 16.2 versions prior to 16.2R2-S5;
o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3;
o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3;
o 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91;
o 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3;
o 17.4 versions prior to 17.4R1-S3, 17.4R2;
o 18.2X75 versions prior to 18.2X75-D5.
This issue only affects configurations where RSH service is
enabled and the PAM authentication is disabled.
Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.
This issue was found during internal product security testing or
research.
This issue has been assigned CVE-2018-0052.
Solution:
This CLI option has been removed from the fixed Junos releases.
The following software releases have been updated to resolve this
specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75,
14.1X53-D47, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131,
15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490,
15.1X53-D59, 15.1X53-D67, 16.1R3-S9, 16.1R4-S9, 16.1R5-S4,
16.1R6-S4, 16.1R7, 16.2R2-S5, 17.1R1-S7, 17.1R2-S7, 17.1R3,
17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D91,
17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1,
18.2X75-D5, and all subsequent releases.
This issue is being tracked as PR 1288932 which is visible on the
Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are
beyond End of Engineering (EOE) or End of Life (EOL).
Workaround:
1. Ensure there is no RSH service listening on port 514.
2. Utilize common security BCPs to limit the exploitable surface
by limiting access to network and device to trusted systems,
administrators, networks and hosts.
Implementation:
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
Modification History:
2018-10-10: Initial publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Monthly
Security Bulletin Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and
Juniper's Security Advisories
o Report a Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
CVSS Score:
7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW76m3maOgq3Tt24GAQiRNA//SfP6z16uai5F2fO9RKgdTzMmrRm8xGtX
E/1txo6/l9rQ9Y5olJiCdlFhBHJMYRtakSPXLCR/ZfdFSHUe8OGYC4ro9igWoAIZ
VMfNlHcJATFBvw6FMT/LcjBDWrg8Ck4dg76xk6kTSSPuZZPRJ2Xia0O55s0AAQpa
YekgFNVkmFG9grESK1VSPKtgH7aR2/vp8Ur4Em0vI7zc39KPl+I7jUbeT3OPlIOC
Z31OK2N9b79fnkfMhnaAVezvKlkfgxJUYD+wofz1IdJmbCpKP6G90Mv1f77pqCSR
h1gIUigoeZgOr4jBPxInaNRP74T7LkRLsNibzV54Pq58n8k/AGAn9A4hLfIKqeks
PI9A6EPcUBqnPkksq1M0LuzoEIWWEc4sW8/Uy3wPik3AfEV1I+gHeh4TMwbuemC3
ld5Il2ozQn8LrP4YtrbvGzqWh6xLxN79pbr05wlTvgRa4uX3StZJ9fLbSGLiLxDj
ltxvhYxU20GnJtlX2ysZ2VKVk8jOYt7RfaFDmLQZeD5S6Z66icDn64cfWj+gmeO4
eEickVsOZJZxi7M5NLnWrCq4P2iRymAoSlP8V2oVJ3KH0IhG799laMoCy4m57OUI
pWejeNoEoaD/jd0Uw3udw0PApIpFM6icj/1DexZaMGHomJ6FovPJ1aQyZRp/Ax/7
5O0DoISHxVs=
=VQg7
-----END PGP SIGNATURE-----