Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2561 JSA10939 - 2019-07 Security Bulletin: Steel Belted Radius Carrier Edition: Multiple Vulnerabilities in NSPR, NSS and Bouncy Castle 12 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Steel Belted Radius Carrier Edition Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1000613 CVE-2018-1000180 CVE-2018-5382 CVE-2016-1000352 CVE-2016-1000346 CVE-2016-1000345 CVE-2016-1000344 CVE-2016-1000342 CVE-2016-1000341 CVE-2016-1000340 CVE-2016-1000338 CVE-2016-2427 CVE-2016-1951 CVE-2016-1938 CVE-2015-7940 CVE-2014-1545 CVE-2013-5607 CVE-2013-1741 CVE-2013-1624 CVE-2013-0169 CVE-2009-3555 CVE-2009-2409 CVE-2009-2408 Reference: ASB-2019.0122 ASB-2018.0174 ESB-2019.1481 ESB-2018.3217 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10939 - --------------------------BEGIN INCLUDED TEXT-------------------- 2019-07 Security Bulletin: Steel Belted Radius Carrier Edition: Multiple Vulnerabilities in NSPR, NSS and Bouncy Castle Article ID: JSA10939 Last Updated: 10 Jul 2019 Version: 6.0 Product Affected: Steel Belted Radius Carrier Edition Problem: Multiple vulnerabilities have been resolved in Steel Belted Radius Carrier Edition by updating third party software included with Steel Belted Radius Carrier Edition or by fixing vulnerabilities found during internal testing. These issues potentially affect Steel Belted Radius Carrier Edition: o 8.4 versions prior to 8.4R14 on RHEL6 (32-bit), RHEL6 (64-bit), RHEL7, Sparc Solaris (32-bit), Sparc Solaris (64-bit); o 8.5 versions prior to 8.5R5 on RHEL6 (64-bit), RHEL7, Sparc Solaris (64-bit). Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. These issues were discovered during external security research. Important security issues resolved include: CVE CVSS Summary 8.6 ( Multiple integer overflows in io/prprf.c in CVSS:3.0/ Mozilla Netscape Portable Runtime (NSPR) before CVE-2016-1951 AV:N/AC:L/ 4.12 allow remote attackers to cause a denial of PR:N/UI:N/ service (buffer overflow) or possibly have S:U/C:L/I:L unspecified other impact via a long string to a /A:H ) PR_*printf function. 10.0 (AV:N/ Mozilla Netscape Portable Runtime (NSPR) before AC:L/Au:N/ 4.10.6 allows remote attackers to execute CVE-2014-1545 C:C/I:C/ arbitrary code or cause a denial of service A:C) (out-of-bounds write) via vectors involving the sprintf and console functions. Integer overflow in the PL_ArenaAllocate function in Mozilla Netscape Portable Runtime (NSPR) before 7.5 (AV:N/ 4.10.2, as used in Firefox before 25.0.1, Firefox AC:L/Au:N/ ESR 17.x before 17.0.11 and 24.x before 24.1.1, CVE-2013-5607 C:P/I:P/ and SeaMonkey before 2.22.1, allows remote A:P) attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted X.509 certificate, a related issue to CVE-2013-1741. 6.5 ( The s_mp_div function in lib/freebl/mpi/mpi.c in CVSS:3.0/ Mozilla Network Security Services (NSS) before AV:N/AC:L/ 3.21, as used in Mozilla Firefox before 44.0, CVE-2016-1938 PR:N/UI:N/ improperly divides numbers, which might make it S:U/C:L/I:L easier for remote attackers to defeat /A:N ) cryptographic protection mechanisms by leveraging use of the (1) mp_div or (2) mp_exptmod function. The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other 5.8 AV:N/ products, does not properly associate CVE-2009-3555 AC:M/Au:N/ renegotiation handshakes with an existing C:N/I:P/A:P connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other 5.1 (AV:N/ products support MD2 with X.509 certificates, CVE-2009-2409 AC:H/Au:N/ which might allow remote attackers to spoof C:P/I:P/ certificates by using MD2 design flaws to generate A:P) a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. Mozilla Network Security Services (NSS) before 3.12.3, Firefox before 3.0.13, Thunderbird before 2.0.0.23, and SeaMonkey before 1.1.18 do not 6.8 (AV:N/ properly handle a '\0' character in a domain name CVE-2009-2408 AC:M/Au:N/ in the subject's Common Name (CN) field of an C:P/I:P/ X.509 certificate, which allows man-in-the-middle A:P) attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. NOTE: this was originally reported for Firefox before 3.5. Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or 9.8 ( Code ('Unsafe Reflection') vulnerability in XMSS/ CVSS:3.0/ XMSS^MT private key deserialization that can CVE-2018-1000613 AV:N/AC:L/ result in Deserializing an XMSS/XMSS^MT private PR:N/UI:N/ key can result in the execution of unexpected S:U/C:H/I:H code. This attack appear to be exploitable via A /A:H ) handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later. 7.5 ( Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA CVSS:3.0/ 1.0.1 and earlier have a flaw in the Low-level AV:N/AC:L/ interface to RSA key pair generator, specifically CVE-2018-1000180 PR:N/UI:N/ RSA Key Pairs generated in low-level API with S:U/C:H/I:N added certainty may have less M-R tests than /A:N ) expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later. 9.8 ( Bouncy Castle BKS version 1 keystore (BKS-V1) CVSS:3.0/ files use an HMAC that is only 16 bits long, which CVE-2018-5382 AV:N/AC:L/ can allow an attacker to compromise the integrity PR:N/UI:N/ of a BKS-V1 keystore. All BKS-V1 keystores are S:U/C:H/I:H vulnerable. Bouncy Castle release 1.47 introduces /A:H ) BKS version 2, which uses a 160-bit MAC. 7.4 ( CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and CVE-2016-1000352 AV:N/AC:H/ earlier the ECIES implementation allowed the use PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and S:U/C:H/I:H support for it has been removed from the provider. /A:N ) 3.7 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier the other party DH public key is not fully AV:N/AC:H/ validated. This can cause issues as invalid keys CVE-2016-1000346 PR:N/UI:N/ can be used to reveal details about the other S:U/C:L/I:N party's private key where static Diffie-Hellman is /A:N ) in use. As of release 1.56 the key parameters are checked on agreement calculation. 5.9 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier the DHIES/ECIES CBC mode vulnerable to AV:N/AC:H/ padding oracle attack. For BC 1.55 and older, in CVE-2016-1000345 PR:N/UI:N/ an environment where timings can be easily S:U/C:H/I:N observed, it is possible with enough observations /A:N ) to identify when the decryption is failing due to padding. 7.4 ( CVSS:3.0/ In the Bouncy Castle JCE Provider version 1.55 and CVE-2016-1000344 AV:N/AC:H/ earlier the DHIES implementation allowed the use PR:N/UI:N/ of ECB mode. This mode is regarded as unsafe and S:U/C:H/I:H support for it has been removed from the provider. /A:N ) In the Bouncy Castle JCE Provider version 1.55 and 7.5 ( earlier ECDSA does not fully validate ASN.1 CVSS:3.0/ encoding of signature on verification. It is CVE-2016-1000342 AV:N/AC:L/ possible to inject extra elements in the sequence PR:N/UI:N/ making up the signature and still have it S:U/C:N/I:H validate, which in some cases may allow the /A:N ) introduction of 'invisible' data into a signed structure. 5.9 ( In the Bouncy Castle JCE Provider version 1.55 and CVSS:3.0/ earlier DSA signature generation is vulnerable to AV:N/AC:H/ timing attack. Where timings can be closely CVE-2016-1000341 PR:N/UI:N/ observed for the generation of signatures, the S:U/C:H/I:N lack of blinding in 1.55, or earlier, may allow an /A:N ) attacker to gain information about the signature's k value and ultimately the private value as well. In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw 7.5 ( math classes have been fixed CVSS:3.0/ (org.bouncycastle.math.raw.Nat). These classes AV:N/AC:L/ are used by our custom elliptic curve CVE-2016-1000340 PR:N/UI:N/ implementations S:U/C:N/I:H (org.bouncycastle.math.ec.custom.**), so there was /A:N ) the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers. In Bouncy Castle JCE Provider version 1.55 and 7.5 ( earlier the DSA does not fully validate ASN.1 CVSS:3.0/ encoding of signature on verification. It is CVE-2016-1000338 AV:N/AC:L/ possible to inject extra elements in the sequence PR:N/UI:N/ making up the signature and still have it S:U/C:N/I:H validate, which in some cases may allow the /A:N ) introduction of 'invisible' data into a signed structure. The Bouncy Castle Java library before 1.51 does 5.0 AV:N/ not validate a point is withing the elliptic CVE-2015-7940 AC:L/Au:N/ curve, which makes it easier for remote attackers C:P/I:N/A:N to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks 4.0 AV:N/ on a noncompliant MAC check operation during the CVE-2013-1624 AC:H/Au:N/ processing of malformed CBC padding, which allows C:P/I:P/A:N remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. 5.5 ( The AES-GCM specification in RFC 5084, recommends CVSS:3.0/ 12 octets for the aes-ICVlen parameter field, CVE-2016-2427 AV:L/AC:L/ which might make it easier for attackers to defeat PR:N/UI:R/ a cryptographic protection mechanism and discover S:U/C:H/I:N an authentication key via a crafted application. /A:N ) Solution: These issues are resolved in Steel Belted Radius Carrier Edition 8.4R14 on RHEL6 (32-bit), RHEL6 (64-bit), RHEL7, Sparc Solaris (32-bit), Sparc Solaris (64-bit) and 8.5R5 on RHEL6 (64-bit), RHEL7, Sparc Solaris (64-bit) and all subsequent releases. These issues are being tracked as PR 1397207 , 1397301 and 1397304 which are visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: There are no known workarounds for these issues. Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: o 2019-07-10: Initial Publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: Critical Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSfMHGaOgq3Tt24GAQjWBw/+PgdblTSpH2HVEidlP/NuN+6aXDWIT1sZ sECgQQ0hBjYJy31pTTA85D3f1R8DY23zd6ZXqamMcMgew7eguLVe6o6jocIkM4Mr F+7w6FMEMHjkVxLPkHayYD/tT46oESvP28YdBzQ5GTIuL6x8FJZNTbr6CxUYUPML MPMO8i3u3VvZewOj+160WpgvYFO6z+ehrICHh04B2b3aZ94tNzk4Jsujow0kV+dj x7oySq1L+wuJVucAdEIrl0A5g2tg621+WMJIAHmeOXfc9QbkxrM5KrRvrX9MCjs7 CzRAW6JUgQVX5EIGHWo7zGpTtWn3nVVuHEqrPkazurxUQcHUc2x/GN+gi3CAjy4y uxMH7BPwEwzDuhbzIiq43hQVeASJszCsPpYIFCZ9CPuwtD40h/JlTRJUWo7oxSNs ahLj7jHcs0mJgA4Pv9r2WN+Pqm9Xj4LxdwhGpeFmHspfaiMf67CNRuz+La7P+QeD t0WHxh5LZxrVmlxLLDofUlvjiTaDMyZu+SKR6NcDskw1XRwks7WWh9r+JPT7N8o7 16DtBMz8spXLJoyTmLNCpX2+luYKoV/J33PJeRj4Xa/4Qu5PsljCVNl3dn5jMDMO JCvWEJ8/Atdl3ZazNcQgMXr1g2iCJvBrt2cA4gSau0DEFU/hR27P2g2tuy/O4OG3 d31aeKHPbWs= =/6BF -----END PGP SIGNATURE-----