Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3082 2018-10 Security Bulletin: Junos OS: Multiple Vulnerabilities 11 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0052 CVE-2018-0051 CVE-2018-0050 CVE-2018-0049 CVE-2018-0048 CVE-2018-0045 CVE-2018-0043 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10879 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10882 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10883 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10884 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10885 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10886 Comment: This bulletin contains seven (7) security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-10 Security Bulletin: Junos OS: RPD daemon crashes upon receipt of specific MPLS packet (CVE-2018-0043) [JSA10877] Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1F6, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4. Problem: Receipt of a specific MPLS packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. By continuously sending specific MPLS packets, an attacker can repeatedly crash the RPD process causing a sustained Denial of Service. This issue affects both IPv4 and IPv6. This issue can only be exploited from within the MPLS domain. End-users connected to the CE device cannot cause this crash. Affected releases are Juniper Networks Junos OS: o 12.1X46 versions prior to 12.1X46-D77 on SRX Series; o 12.3 versions prior to 12.3R12-S10; o 12.3X48 versions prior to 12.3X48-D75 on SRX Series; o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series; o 14.1X53 versions prior to 14.1X53-D130 on QFabric Series; o 15.1F6 versions prior to 15.1F6-S10; o 15.1 versions prior to 15.1R4-S9 15.1R7; o 15.1X49 versions prior to 15.1X49-D140 on SRX Series; o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; o 15.1X53 versions prior to 15.1X53-D471 15.1X53-D490 on NFX Series; o 16.1 versions prior to 16.1R3-S8 16.1R4-S8 16.1R5-S4 16.1R6-S4 16.1R7; o 16.1X65 versions prior to 16.1X65-D48; o 16.2 versions prior to 16.2R1-S6 16.2R3; o 17.1 versions prior to 17.1R1-S7 17.1R2-S6 17.1R3; o 17.2 versions prior to 17.2R1-S6 17.2R2-S3 17.2R3; o 17.2X75 versions prior to 17.2X75-D100 17.2X75-D42 17.2X75-D91; o 17.3 versions prior to 17.3R1-S4 17.3R2-S2 17.3R3; o 17.4 versions prior to 17.4R1-S3 17.4R2 . This issue may occurs when the Junos OS device is configured with: [protocols mpls interface] Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2018-0043. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75, 14.1X53-D130, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S8, 16.1R5-S4, 16.1R6-S4, 16.1R7, 16.1X65-D48, 16.2R1-S6, 16.2R2-S6, 16.2R3, 17.1R1-S7, 17.1R2-S6, 17.1R3, 17.2R1-S6, 17.2R2-S3, 17.2R3, 17.2X75-D100, 17.2X75-D42, 17.2X75-D91, 17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5 and all subsequent releases. This issue is being tracked as PR 1328058 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: There are no known workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-0043 at cve.mitre.org o https://kb.juniper.net/JSA10877 CVSS Score: 8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: High =============================================================================== 2018-10 Security Bulletin: Junos OS: RPD daemon crashes due to receipt of specific Draft-Rosen MVPN control packet in Draft-Rosen MVPN configuration (CVE-2018-0045) [JSA10879] Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 15.1, 15.1F6, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1. Problem: Receipt of a specific Draft-Rosen MVPN control packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. By continuously sending the same specific Draft-Rosen MVPN control packet, an attacker can repeatedly crash the RPD process causing a prolonged denial of service. This issue may occur when the Junos OS device is configured for Draft-Rosen multicast virtual private network (MVPN). The VPN is multicast-enabled and configured to use Protocol Independent Multicast (PIM) protocol within the VPN. This issue can only be exploited from the PE device within the MPLS domain which is capable of forwarding IP multicast traffic in core. End-users connected to the CE device cannot cause this crash. Affected releases are Juniper Networks Junos OS: o 12.1X46 versions prior to 12.1X46-D77 on SRX Series; o 12.3 versions prior to 12.3R12-S10; o 12.3X48 versions prior to 12.3X48-D70 on SRX Series; o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; o 15.1F6; o 15.1X49 versions prior to 15.1X49-D140 on SRX Series; o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX Series; o 16.1 versions prior to 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7; o 16.2 versions prior to 16.2R1-S6, 16.2R2-S6, 16.2R3; o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; o 17.2 versions prior to 17.2R2-S4, 17.2R3; o 17.3 versions prior to 17.3R2-S2, 17.3R3; o 17.4 versions prior to 17.4R1-S3, 17.4R2; o 18.1 versions prior to 18.1R2. This issue may occurs when the Junos OS device is configured with: [routing-instances <name> protocols pim mvpn] [routing-instances <name> provider-tunnel pim-*] Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2018-0045. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S6, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R2-S4, 17.2R3, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5 and all subsequent releases. This issue is being tracked as PR 1339567 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: There are no known workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-0045 at cve.mitre.org o https://kb.juniper.net/JSA10879 CVSS Score: 8.8 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: High =============================================================================== 2018-10 Security Bulletin: Junos OS: Memory exhaustion denial of service vulnerability in Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support (CVE-2018-0048) [JSA10882] Product Affected: This issue affects Junos OS 17.2, 17.2X75, 17.3, 17.4, 18.1. Problem: A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support can allow a network based unauthenticated attacker to cause a severe memory exhaustion condition on the device. This can have an adverse impact on the system performance and availability. This issue only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. Other versions of Junos OS are unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS: o 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; o 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; o 17.3 versions prior to 17.3R2-S4, 17.3R3; o 17.4 versions prior to 17.4R1-S5, 17.4R2; o 18.1 versions prior to 18.1R2-S3, 18.1R3. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0048. Solution: The following software releases have been updated to resolve this specific issue: 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D102, 17.2X75-D110, 17.3R2-S4, 17.3R3, 17.4R1-S5, 17.4R2, 18.1R2-S3, 18.1R3, 18.2R1, 18.2X75-D10, 18.3R1, and all subsequent releases. This issue is being tracked as PR 1344177 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: There are no viable workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." =============================================================================== 2018-10 Security Bulletin: Junos OS: Receipt of a specifically crafted malicious MPLS packet leads to a Junos kernel crash (CVE-2018-0049) [JSA10883] Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.1, 18.2, 18.2X75. Problem: A NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash. A single packet received by the target victim will cause a Denial of Service condition. Continued receipt of this specifically crafted malicious MPLS packet will cause a sustained Denial of Service condition. This issue require it to be received on an interface configured to receive this type of traffic. Affected releases are Juniper Networks Junos OS: o 12.1X46 versions above and including 12.1X46-D76 prior to 12.1X46-D81 on SRX Series; o 12.3R12-S10; o 12.3X48 versions above and including 12.3X48-D66 prior to 12.3X48-D75 on SRX Series; o 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; o 14.1X53 versions above and including 14.1X53-D115 prior to 14.1X53-D130 on QFabric System; o 15.1 versions above and including 15.1F6-S10; o 15.1R4-S9; o 15.1R6-S6; o 15.1 versions above and including 15.1R7 prior to 15.1R7-S2; o 15.1X49 versions above and including 15.1X49-D131 prior to 15.1X49-D150 on SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 15.1X53 versions above 15.1X53-D233 prior to 15.1X53-D235 on QFX5200/QFX5110; o 15.1X53 versions up to and including 15.1X53-D471 prior to 15.1X53-D590 on NFX150, NFX250; o 15.1X53-D67 on QFX10000 Series; o 15.1X53-D59 on EX2300/EX3400; o 16.1 versions above and including 16.1R3-S8; o 16.1 versions above and including 16.1R4-S9 prior to 16.1R4-S12; o 16.1 versions above and including 16.1R5-S4; o 16.1 versions above and including 16.1R6-S3 prior to 16.1R6-S6; o 16.1 versions above and including 16.1R7 prior to 16.1R7-S2; o 16.2 versions above and including 16.2R1-S6; o 16.2 versions above and including 16.2R2-S5 prior to 16.2R2-S7; o 17.1R1-S7; o 17.1 versions above and including 17.1R2-S7 prior to 17.1R2-S9; o 17.2R1-S6; o 17.2 versions above and including 17.2R2-S4 prior to 17.2R2-S6; o 17.2X75 versions above and including 17.2X75-D100 prior to X17.2X75-D101, 17.2X75-D110; o 17.3 versions above and including 17.3R1-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 17.3 versions above and including 17.3R2-S2 prior to 17.3R2-S4 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 17.3R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 17.4 versions above and including 17.4R1-S3 prior to 17.4R1-S5 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 17.4R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 18.1 versions above and including 18.1R2 prior to 18.1R2-S3, 18.1R3 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 18.2 versions above and including 18.2R1 prior to 18.2R1-S2, 18.2R1-S3, 18.2R2 on All non-SRX Series and SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX; o 18.2X75 versions above and including 18.2X75-D5 prior to 18.2X75-D20. The following minimal protocols configuration is required: [protocols mpls interface] Juniper SIRT is aware of possible malicious network probing which may have triggered this issue, but not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0049. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D81, 12.3R12-S11, 12.3X48-D75, 14.1X53-D130, 14.1X53-D48, 15.1R7-S2, 15.1X49-D150, 15.1X53-D235, 15.1X53-D495, 15.1X53-D68, 15.1X53-D590, 16.1R4-S12, 16.1R6-S6, 16.1R7-S2, 16.1X65-D48, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.2X75-D101, 17.2X75-D110, 17.3R2-S4, 17.3R3-S1, 17.3R4, 17.4R1-S5, 17.4R2-S1, 17.4R3, 18.1R2-S3, 18.1R3, 18.2R1-S2, 18.2R1-S3, 18.2R2, 18.2X75-D20, 18.3R1, and all subsequent releases. Additionally, the following software releases have been re-released to the Juniper download pages to resolve this specific issue: 12.1X46-D76.1, 12.3X48-D70.4, 14.1X53-D47.6, 15.1F6-S10.11, 15.1R6-S6.2, 15.1R7.9, 15.1X49-D140.3, 15.1X53-D233.2, 15.1X53-D59.4, 15.1X53-D67.6, 16.1R6-S3.2, 16.1R7-S1.2, 16.1R7.8, 17.2X75-D100.6, 17.3R2-S2.2, 17.3R3.10, 17.4R1-S3.4, 18.1R2.6. Note: The final ".xy" numeric entry, for example the .4 in 12.3X48-D70.4, on a release in this notice is the respin release number. Customer's should check the respin release number on the version of Junos OS to confirm vulnerability. This issue is being tracked as PR 1380862 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). The following table is designed to assist with identifying a fix path for your product. Each product has multiple potential fix paths. First, there is the updated release of Junos. If you are using an affected release of Junos that is listed in the Updated column, the only change to the updated release is PR 1380862. Second, there is the next fixed in release location which contains at least PR 1380862, and other fixes, and potentially feature additions. Third, there are certain releases which are proactively fixed and those are called out. These proactively fixed releases were never exposed to this issue. Not all affected release trains have fixes. In those instances, customers should either Update to a reissued release, or upgrade to a fixed in release listed in the table below. For additional configuration, update and upgrade assistance, please contact your account manager, or JTAC for assistance. Product and Fixed and platforms Affected releases reissued Junos Fixed in release 12.3 (all = 12.3R12-S10 None >= 12.3R12-S11 platforms) 12.1X46 (SRX >= 12.1X46-D76 and Branch < 12.1X46-D81 12.1X46-D76.1 >= 12.1X46-D81 Series*) 12.3X48 (SRX >= 12.3X48-D66 and Branch < 12.3X48-D75 12.3X48-D70.4 >= 12.3X48-D75 Series*) 14.1X53 (EX and QFX = 14.1X53-D47 14.1X53-D47.6 >= 14.1X53-D48 Series) 14.1X53 >= 14.1X53-D115 and >= (QFabric < 14.1X53-D130 None 14.1X53-D130 System) >= 15.1F6-S10 15.1F6-S10.11 None 15.1 (all >= 15.1R4-S9 None None platforms) >= 15.1R6-S6 15.1R6-S6.2 None >= 15.1R7 and 15.1R7.9 >= 15.1R7-S2 < 15.1R7-S2 15.1X49 (SRX >= 15.1X49-D131 and >= Branch < 15.1X49-D150 15.1X49-D140.3 15.1X49-D150 Series*) 15.1X53 >= 15.1X53-D233 and >= (QFX5200/ < 15.1X53-D235 15.1X53-D233.2 15.1X53-D235 QFX5110) 15.1X53 >= 15.1X53-D471 and >= (NFX150, < 15.1X53-D495 None 15.1X53-D495 NFX250) 15.1X53 (QFX10000 = 15.1X53-D67 15.1X53-D67.6 >= 15.1X53-D68 Series) 15.1X53 >= 15.1X53-D59 and >= (EX2300/ < 15.1X53-D590 15.1X53-D59.4 15.1X53-D590 EX3400) >= 16.1R3-S8 None None >= 16.1R4-S9 and None >= 16.1R4-S12 < 16.1R4-S12 16.1 (all >= 16.1R5-S4 None None platforms) >= 16.1R6-S3 and 16.1R6-S3.2 >= 16.1R6-S6 < 16.1R6-S6 >= 16.1R7 and 16.1R7.8 and >= 16.1R7-S2 < 16.1R7-S2 16.1R7-S1.2 16.1X65 >= 16.1X65-D48 (PTX1000 Not affected Not affected (proactive Series) fix) >= 16.2R1-S6 None None 16.2 (all >= 16.2R2-S5 and >= 16.2R2-S7 platforms) < 16.2R2-S7 None and >= 16.2R3 >= 17.1R1-S7 None None 17.1 (all >= 17.1R2-S7 and >= 17.1R2-S9 platforms) < 17.1R2-S9 None and >= 17.1R3 >= 17.2R1-S7 = 17.2R1-S6 None and 17.2 (all >= 17.2R3 platforms) >= 17.2R2-S4 and >= 17.2R2-S6 < 17.2R2-S6 None and >= 17.2R3 >= 17.2X75-D101 17.2X75 = 17.2X75-D100 17.2X75-D100.6 and >= 17.2X75-D110 >= 17.3R1-S4 None None 17.3 (all >= 17.3R2-S2 and 17.3R2-S2.2 >= 17.3R2-S4 platforms) See < 17.3R2-S4. and Note-1 = 17.3R3 17.3R3.10 >= 17.3R3-S1 and >= 17.4R1-S3 and >= 17.4R1-S5 < 17.4R1-S5 17.4R1-S3.4 and 17.4 (all >= 17.4R3 platforms) >= 17.4R2-S1 = 17.4R2 None and >= 17.4R3 18.1 (all >= 18.1R2 and >= 18.1R2-S3 platforms) < either 18.1R2-S3, 18.1R2.6 and or 18.1R3 >= 18.1R3 18.2 (all >= 18.2R1 and < >= 18.2R1-S2 platforms) either 18.2R1-S2, or None and 18.2R2 >= 18.2R2 18.2X75 >= 18.2X75-D5 and None >= 18.2X75-D20 < 18.2X75-D20 * SRX Branch Series devices include SRX100, SRX110, SRX210, SRX220, SRX240m, SRX550m, SRX650, SRX300, SRX320, SRX340, SRX345, SRX1500, SRX4100, SRX4200, SRX4600 and vSRX. Note-1: From 17.3R1 onward, It is suggested that customers using releases of Junos on SRX should consider transitioning to 17.4R2-S1, or subsequent releases. Workaround: Remove MPLS configuration stanza from interfaces at risk. There are no other available workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-0049 at cve.mitre.org o Understanding Junos release numbering o JUNOS Software updates due to JSA10883 CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." =============================================================================== 2018-10 Security Bulletin: Junos OS: Receipt of a malformed MPLS RSVP packet leads to a Routing Protocols Daemon (RPD) crash (CVE-2018-0050) [JSA10884] Product Affected: This issue affects Junos OS 14.1, 14.1X53, 14.2. Problem: An error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. Continued receipt of this malformed MPLS RSVP packet will cause a sustained Denial of Service condition. Affected releases are Juniper Networks Junos OS: o 14.1 versions prior to 14.1R8-S5, 14.1R9; o 14.1X53 versions prior to 14.1X53-D48 on QFX Switching; o 14.2 versions prior to 14.1X53-D130 on QFabric System; o 14.2 versions prior to 14.2R4. This issue does not affect versions of Junos OS before 14.1R1. Junos OS RSVP only supports IPv4. IPv6 is not affected by this issue. This issue require it to be received on an interface configured to receive this type of traffic. The following minimal protocols configurations are required: [protocols rsvp] [protocols mpls interface] Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0050. Solution: The following software releases have been updated to resolve this specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D130, 14.1X53-D48, 14.2R4, 15.1R1, and all subsequent releases. This issue is being tracked as PR 1087100 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Remove MPLS configuration stanzas from interface configurations that are at risk. No other workarounds exist for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-0050 at cve.mitre.org CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." =============================================================================== 2018-10 Security Bulletin: Junos OS: Denial of Service vulnerability in MS-PIC, MS-MIC, MS-MPC, MS-DPC and SRX flow daemon (flowd) related to SIP ALG (CVE-2018-0051) [JSA10885] Product Affected: This issue affects Junos OS 12.1X46, 12.3X48, 15.1, 15.1F6, 15.1X49, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4. Problem: A Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process. This issue affects Junos OS devices with NAT or stateful firewall configuration in combination with the SIP ALG enabled. SIP ALG is enabled by default on SRX Series devices except for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The status of ALGs in SRX device can be obtained by executing the command: show security alg status Affected releases are Juniper Networks Junos OS: o 12.1X46 versions prior to 12.1X46-D77; o 12.3X48 versions prior to 12.3X48-D70; o 15.1X49 versions prior to 15.1X49-D140; o 15.1 versions prior to 15.1R4-S9, 15.1R7-S1; o 15.1F6; o 16.1 versions prior to 16.1R4-S9, 16.1R6-S1, 16.1R7; o 16.2 versions prior to 16.2R2-S7, 16.2R3; o 17.1 versions prior to 17.1R2-S7, 17.1R3; o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; o 17.3 versions prior to 17.3R1-S5, 17.3R2-S2, 17.3R3; o 17.4 versions prior to 17.4R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2018-0051. Solution: The following software releases have been updated to resolve these specific issues: 12.1X46-D77, 12.3X48-D70, 12.3X48-D75, 14.1X53-D47, 15.1R4-S9, 15.1R7-S1, 15.1X49-D140, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R4-S9, 16.1R6-S1, 16.1R7, 16.2R2-S7, 16.2R3, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.3R1-S5, 17.3R2-S2, 17.3R3, 17.4R2, 18.1R1, 18.1X75-D10, 18.2R1, 18.2X75-D5, and all subsequent releases. This fix has also been proactively committed into other releases that might not support SIP ALG configuration. This issue is being tracked as PR 1326394 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Disable the use of the SIP ALG feature if it is not needed. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2018-0051 at cve.mitre.org o https://kb.juniper.net/JSA10885 CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High =============================================================================== 2018-10 Security Bulletin: Junos OS: Unauthenticated remote root access possible when RSH service is enabled (CVE-2018-0052) [JSA10886] Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.2X75. Problem: If RSH service is enabled on Junos OS and if the PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device. RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514. This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. Please see https://www.juniper.net/ documentation/en_US/junos/topics/topic-map/ junos-kernel-freebsd-upgraded.html for a list of platforms and Junos Releases that are based in FreeBSD 10 or later. Affected releases are Juniper Networks Junos OS: o 12.1X46 versions prior to 12.1X46-D77 on SRX Series; o 12.3 versions prior to 12.3R12-S10; o 12.3X48 versions prior to 12.3X48-D75 on SRX Series; o 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series; o 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; o 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX Series; o 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; o 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; o 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; o 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX Series; o 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7; o 16.2 versions prior to 16.2R2-S5; o 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; o 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; o 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91; o 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; o 17.4 versions prior to 17.4R1-S3, 17.4R2; o 18.2X75 versions prior to 18.2X75-D5. This issue only affects configurations where RSH service is enabled and the PAM authentication is disabled. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0052. Solution: This CLI option has been removed from the fixed Junos releases. The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75, 14.1X53-D47, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7, 16.2R2-S5, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D91, 17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5, and all subsequent releases. This issue is being tracked as PR 1288932 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: 1. Ensure there is no RSH service listening on port 514. 2. Utilize common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW76m3maOgq3Tt24GAQiRNA//SfP6z16uai5F2fO9RKgdTzMmrRm8xGtX E/1txo6/l9rQ9Y5olJiCdlFhBHJMYRtakSPXLCR/ZfdFSHUe8OGYC4ro9igWoAIZ VMfNlHcJATFBvw6FMT/LcjBDWrg8Ck4dg76xk6kTSSPuZZPRJ2Xia0O55s0AAQpa YekgFNVkmFG9grESK1VSPKtgH7aR2/vp8Ur4Em0vI7zc39KPl+I7jUbeT3OPlIOC Z31OK2N9b79fnkfMhnaAVezvKlkfgxJUYD+wofz1IdJmbCpKP6G90Mv1f77pqCSR h1gIUigoeZgOr4jBPxInaNRP74T7LkRLsNibzV54Pq58n8k/AGAn9A4hLfIKqeks PI9A6EPcUBqnPkksq1M0LuzoEIWWEc4sW8/Uy3wPik3AfEV1I+gHeh4TMwbuemC3 ld5Il2ozQn8LrP4YtrbvGzqWh6xLxN79pbr05wlTvgRa4uX3StZJ9fLbSGLiLxDj ltxvhYxU20GnJtlX2ysZ2VKVk8jOYt7RfaFDmLQZeD5S6Z66icDn64cfWj+gmeO4 eEickVsOZJZxi7M5NLnWrCq4P2iRymAoSlP8V2oVJ3KH0IhG799laMoCy4m57OUI pWejeNoEoaD/jd0Uw3udw0PApIpFM6icj/1DexZaMGHomJ6FovPJ1aQyZRp/Ax/7 5O0DoISHxVs= =VQg7 -----END PGP SIGNATURE-----