-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2561
JSA10939 - 2019-07 Security Bulletin: Steel Belted Radius Carrier Edition:
          Multiple Vulnerabilities in NSPR, NSS and Bouncy Castle
                               12 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Steel Belted Radius Carrier Edition
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Access Privileged Data          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Provide Misleading Information  -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1000613 CVE-2018-1000180 CVE-2018-5382
                   CVE-2016-1000352 CVE-2016-1000346 CVE-2016-1000345
                   CVE-2016-1000344 CVE-2016-1000342 CVE-2016-1000341
                   CVE-2016-1000340 CVE-2016-1000338 CVE-2016-2427
                   CVE-2016-1951 CVE-2016-1938 CVE-2015-7940
                   CVE-2014-1545 CVE-2013-5607 CVE-2013-1741
                   CVE-2013-1624 CVE-2013-0169 CVE-2009-3555
                   CVE-2009-2409 CVE-2009-2408 

Reference:         ASB-2019.0122
                   ASB-2018.0174
                   ESB-2019.1481
                   ESB-2018.3217

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10939

- --------------------------BEGIN INCLUDED TEXT--------------------

2019-07 Security Bulletin: Steel Belted Radius Carrier Edition: 
Multiple Vulnerabilities in NSPR, NSS and Bouncy Castle

Article ID:   JSA10939

Last Updated: 10 Jul 2019

Version:      6.0

Product Affected:
Steel Belted Radius Carrier Edition
Problem:

Multiple vulnerabilities have been resolved in Steel Belted Radius Carrier
Edition by updating third party software included with Steel Belted Radius
Carrier Edition or by fixing vulnerabilities found during internal testing.

These issues potentially affect Steel Belted Radius Carrier Edition:

  o 8.4 versions prior to 8.4R14 on RHEL6 (32-bit), RHEL6 (64-bit), RHEL7,
    Sparc Solaris (32-bit), Sparc Solaris (64-bit);
  o 8.5 versions prior to 8.5R5 on RHEL6 (64-bit), RHEL7, Sparc Solaris
    (64-bit).

Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.

These issues were discovered during external security research.

Important security issues resolved include:

      CVE           CVSS                          Summary
                 8.6 (       Multiple integer overflows in io/prprf.c in
                 CVSS:3.0/   Mozilla Netscape Portable Runtime (NSPR) before
CVE-2016-1951    AV:N/AC:L/  4.12 allow remote attackers to cause a denial of
                 PR:N/UI:N/  service (buffer overflow) or possibly have
                 S:U/C:L/I:L unspecified other impact via a long string to a
                 /A:H )      PR_*printf function.
                 10.0 (AV:N/ Mozilla Netscape Portable Runtime (NSPR) before
                 AC:L/Au:N/  4.10.6 allows remote attackers to execute
CVE-2014-1545    C:C/I:C/    arbitrary code or cause a denial of service
                 A:C)        (out-of-bounds write) via vectors involving the
                             sprintf and console functions.
                             Integer overflow in the PL_ArenaAllocate function
                             in Mozilla Netscape Portable Runtime (NSPR) before
                 7.5 (AV:N/  4.10.2, as used in Firefox before 25.0.1, Firefox
                 AC:L/Au:N/  ESR 17.x before 17.0.11 and 24.x before 24.1.1,
CVE-2013-5607    C:P/I:P/    and SeaMonkey before 2.22.1, allows remote
                 A:P)        attackers to cause a denial of service
                             (application crash) or possibly have unspecified
                             other impact via a crafted X.509 certificate, a
                             related issue to CVE-2013-1741.
                 6.5 (       The s_mp_div function in lib/freebl/mpi/mpi.c in
                 CVSS:3.0/   Mozilla Network Security Services (NSS) before
                 AV:N/AC:L/  3.21, as used in Mozilla Firefox before 44.0,
CVE-2016-1938    PR:N/UI:N/  improperly divides numbers, which might make it
                 S:U/C:L/I:L easier for remote attackers to defeat
                 /A:N )      cryptographic protection mechanisms by leveraging
                             use of the (1) mp_div or (2) mp_exptmod function.
                             The TLS protocol, and the SSL protocol 3.0 and
                             possibly earlier, as used in Microsoft Internet
                             Information Services (IIS) 7.0, mod_ssl in the
                             Apache HTTP Server 2.2.14 and earlier, OpenSSL
                             before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla
                             Network Security Services (NSS) 3.12.4 and
                             earlier, multiple Cisco products, and other
                 5.8 AV:N/   products, does not properly associate
CVE-2009-3555    AC:M/Au:N/  renegotiation handshakes with an existing
                 C:N/I:P/A:P connection, which allows man-in-the-middle
                             attackers to insert data into HTTPS sessions, and
                             possibly other types of sessions protected by TLS
                             or SSL, by sending an unauthenticated request that
                             is processed retroactively by a server in a
                             post-renegotiation context, related to a
                             "plaintext injection" attack, aka the "Project
                             Mogul" issue.
                             The Network Security Services (NSS) library before
                             3.12.3, as used in Firefox; GnuTLS before 2.6.4
                             and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other
                 5.1 (AV:N/  products support MD2 with X.509 certificates,
CVE-2009-2409    AC:H/Au:N/  which might allow remote attackers to spoof
                 C:P/I:P/    certificates by using MD2 design flaws to generate
                 A:P)        a hash collision in less than brute-force time.
                             NOTE: the scope of this issue is currently limited
                             because the amount of computation required is
                             still large.
                             Mozilla Network Security Services (NSS) before
                             3.12.3, Firefox before 3.0.13, Thunderbird before
                             2.0.0.23, and SeaMonkey before 1.1.18 do not
                 6.8 (AV:N/  properly handle a '\0' character in a domain name
CVE-2009-2408    AC:M/Au:N/  in the subject's Common Name (CN) field of an
                 C:P/I:P/    X.509 certificate, which allows man-in-the-middle
                 A:P)        attackers to spoof arbitrary SSL servers via a
                             crafted certificate issued by a legitimate
                             Certification Authority. NOTE: this was originally
                             reported for Firefox before 3.5.
                             Legion of the Bouncy Castle Legion of the Bouncy
                             Castle Java Cryptography APIs 1.58 up to but not
                             including 1.60 contains a CWE-470: Use of
                             Externally-Controlled Input to Select Classes or
                 9.8 (       Code ('Unsafe Reflection') vulnerability in XMSS/
                 CVSS:3.0/   XMSS^MT private key deserialization that can
CVE-2018-1000613 AV:N/AC:L/  result in Deserializing an XMSS/XMSS^MT private
                 PR:N/UI:N/  key can result in the execution of unexpected
                 S:U/C:H/I:H code. This attack appear to be exploitable via A
                 /A:H )      handcrafted private key can include references to
                             unexpected classes which will be picked up from
                             the class path for the executing application. This
                             vulnerability appears to have been fixed in 1.60
                             and later.
                 7.5 (       Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA
                 CVSS:3.0/   1.0.1 and earlier have a flaw in the Low-level
                 AV:N/AC:L/  interface to RSA key pair generator, specifically
CVE-2018-1000180 PR:N/UI:N/  RSA Key Pairs generated in low-level API with
                 S:U/C:H/I:N added certainty may have less M-R tests than
                 /A:N )      expected. This appears to be fixed in versions BC
                             1.60 beta 4 and later, BC-FJA 1.0.2 and later.
                 9.8 (       Bouncy Castle BKS version 1 keystore (BKS-V1)
                 CVSS:3.0/   files use an HMAC that is only 16 bits long, which
CVE-2018-5382    AV:N/AC:L/  can allow an attacker to compromise the integrity
                 PR:N/UI:N/  of a BKS-V1 keystore. All BKS-V1 keystores are
                 S:U/C:H/I:H vulnerable. Bouncy Castle release 1.47 introduces
                 /A:H )      BKS version 2, which uses a 160-bit MAC.
                 7.4 (
                 CVSS:3.0/   In the Bouncy Castle JCE Provider version 1.55 and
CVE-2016-1000352 AV:N/AC:H/  earlier the ECIES implementation allowed the use
                 PR:N/UI:N/  of ECB mode. This mode is regarded as unsafe and
                 S:U/C:H/I:H support for it has been removed from the provider.
                 /A:N )
                 3.7 (       In the Bouncy Castle JCE Provider version 1.55 and
                 CVSS:3.0/   earlier the other party DH public key is not fully
                 AV:N/AC:H/  validated. This can cause issues as invalid keys
CVE-2016-1000346 PR:N/UI:N/  can be used to reveal details about the other
                 S:U/C:L/I:N party's private key where static Diffie-Hellman is
                 /A:N )      in use. As of release 1.56 the key parameters are
                             checked on agreement calculation.
                 5.9 (       In the Bouncy Castle JCE Provider version 1.55 and
                 CVSS:3.0/   earlier the DHIES/ECIES CBC mode vulnerable to
                 AV:N/AC:H/  padding oracle attack. For BC 1.55 and older, in
CVE-2016-1000345 PR:N/UI:N/  an environment where timings can be easily
                 S:U/C:H/I:N observed, it is possible with enough observations
                 /A:N )      to identify when the decryption is failing due to
                             padding.
                 7.4 (
                 CVSS:3.0/   In the Bouncy Castle JCE Provider version 1.55 and
CVE-2016-1000344 AV:N/AC:H/  earlier the DHIES implementation allowed the use
                 PR:N/UI:N/  of ECB mode. This mode is regarded as unsafe and
                 S:U/C:H/I:H support for it has been removed from the provider.
                 /A:N )
                             In the Bouncy Castle JCE Provider version 1.55 and
                 7.5 (       earlier ECDSA does not fully validate ASN.1
                 CVSS:3.0/   encoding of signature on verification. It is
CVE-2016-1000342 AV:N/AC:L/  possible to inject extra elements in the sequence
                 PR:N/UI:N/  making up the signature and still have it
                 S:U/C:N/I:H validate, which in some cases may allow the
                 /A:N )      introduction of 'invisible' data into a signed
                             structure.
                 5.9 (       In the Bouncy Castle JCE Provider version 1.55 and
                 CVSS:3.0/   earlier DSA signature generation is vulnerable to
                 AV:N/AC:H/  timing attack. Where timings can be closely
CVE-2016-1000341 PR:N/UI:N/  observed for the generation of signatures, the
                 S:U/C:H/I:N lack of blinding in 1.55, or earlier, may allow an
                 /A:N )      attacker to gain information about the signature's
                             k value and ultimately the private value as well.
                             In the Bouncy Castle JCE Provider versions 1.51 to
                             1.55, a carry propagation bug was introduced in
                             the implementation of squaring for several raw
                 7.5 (       math classes have been fixed
                 CVSS:3.0/   (org.bouncycastle.math.raw.Nat). These classes
                 AV:N/AC:L/  are used by our custom elliptic curve
CVE-2016-1000340 PR:N/UI:N/  implementations
                 S:U/C:N/I:H (org.bouncycastle.math.ec.custom.**), so there was
                 /A:N )      the possibility of rare (in general usage)
                             spurious calculations for elliptic curve scalar
                             multiplications. Such errors would have been
                             detected with high probability by the output
                             validation for our scalar multipliers.
                             In Bouncy Castle JCE Provider version 1.55 and
                 7.5 (       earlier the DSA does not fully validate ASN.1
                 CVSS:3.0/   encoding of signature on verification. It is
CVE-2016-1000338 AV:N/AC:L/  possible to inject extra elements in the sequence
                 PR:N/UI:N/  making up the signature and still have it
                 S:U/C:N/I:H validate, which in some cases may allow the
                 /A:N )      introduction of 'invisible' data into a signed
                             structure.
                             The Bouncy Castle Java library before 1.51 does
                 5.0 AV:N/   not validate a point is withing the elliptic
CVE-2015-7940    AC:L/Au:N/  curve, which makes it easier for remote attackers
                 C:P/I:N/A:N to obtain private keys via a series of crafted
                             elliptic curve Diffie Hellman (ECDH) key
                             exchanges, aka an "invalid curve attack."
                             The TLS implementation in the Bouncy Castle Java
                             library before 1.48 and C# library before 1.8 does
                             not properly consider timing side-channel attacks
                 4.0 AV:N/   on a noncompliant MAC check operation during the
CVE-2013-1624    AC:H/Au:N/  processing of malformed CBC padding, which allows
                 C:P/I:P/A:N remote attackers to conduct distinguishing attacks
                             and plaintext-recovery attacks via statistical
                             analysis of timing data for crafted packets, a
                             related issue to CVE-2013-0169.
                 5.5 (       The AES-GCM specification in RFC 5084, recommends
                 CVSS:3.0/   12 octets for the aes-ICVlen parameter field,
CVE-2016-2427    AV:L/AC:L/  which might make it easier for attackers to defeat
                 PR:N/UI:R/  a cryptographic protection mechanism and discover
                 S:U/C:H/I:N an authentication key via a crafted application.
                 /A:N )

Solution:
These issues are resolved in Steel Belted Radius Carrier Edition 8.4R14 on
RHEL6 (32-bit), RHEL6 (64-bit), RHEL7, Sparc Solaris (32-bit), Sparc Solaris
(64-bit) and 8.5R5 on RHEL6 (64-bit), RHEL7, Sparc Solaris (64-bit) and all
subsequent releases.

These issues are being tracked as PR 1397207 , 1397301 and 1397304 which are
visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
There are no known workarounds for these issues.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .

Modification History:

  o 2019-07-10: Initial Publication

Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

  o KB16765: In which releases are vulnerabilities fixed

  o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

  o Report a Security Vulnerability - How to Contact the Juniper Networks
    Security Incident Response Team

CVSS Score:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
Critical

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSfMHGaOgq3Tt24GAQjWBw/+PgdblTSpH2HVEidlP/NuN+6aXDWIT1sZ
sECgQQ0hBjYJy31pTTA85D3f1R8DY23zd6ZXqamMcMgew7eguLVe6o6jocIkM4Mr
F+7w6FMEMHjkVxLPkHayYD/tT46oESvP28YdBzQ5GTIuL6x8FJZNTbr6CxUYUPML
MPMO8i3u3VvZewOj+160WpgvYFO6z+ehrICHh04B2b3aZ94tNzk4Jsujow0kV+dj
x7oySq1L+wuJVucAdEIrl0A5g2tg621+WMJIAHmeOXfc9QbkxrM5KrRvrX9MCjs7
CzRAW6JUgQVX5EIGHWo7zGpTtWn3nVVuHEqrPkazurxUQcHUc2x/GN+gi3CAjy4y
uxMH7BPwEwzDuhbzIiq43hQVeASJszCsPpYIFCZ9CPuwtD40h/JlTRJUWo7oxSNs
ahLj7jHcs0mJgA4Pv9r2WN+Pqm9Xj4LxdwhGpeFmHspfaiMf67CNRuz+La7P+QeD
t0WHxh5LZxrVmlxLLDofUlvjiTaDMyZu+SKR6NcDskw1XRwks7WWh9r+JPT7N8o7
16DtBMz8spXLJoyTmLNCpX2+luYKoV/J33PJeRj4Xa/4Qu5PsljCVNl3dn5jMDMO
JCvWEJ8/Atdl3ZazNcQgMXr1g2iCJvBrt2cA4gSau0DEFU/hR27P2g2tuy/O4OG3
d31aeKHPbWs=
=/6BF
-----END PGP SIGNATURE-----