Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2563
Security Bulletin: Junos OS updates address multiple issues
12 July 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-1559 CVE-2019-0053 CVE-2019-0049
Reference: ASB-2019.0147
ASB-2019.0128
ESB-2019.2303
ESB-2019.2255
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10943
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10947
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10949
Comment: This bulletin contains three (3) Juniper Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2019-07 Security Bulletin: Junos OS: RPD process crashes when BGP peer restarts (CVE-2019-0049)
Article ID: JSA10943
Last Updated: 10 Jul 2019
Version: 1.0
Product Affected:
This issue affects all products and platforms running Junos OS.
Problem:
On Junos devices with the BGP graceful restart helper mode enabled or the BGP
graceful restart mechanism enabled, a certain sequence of BGP session restart
on a remote peer that has the graceful restart mechanism enabled may cause the
local routing protocol daemon (RPD) process to crash and restart. Repeated
crashes of the RPD process can cause prolonged Denial of Service (DoS).
Graceful restart helper mode for BGP is enabled by default.
No other Juniper Networks products or platforms are affected by this issue.
Affected releases are Juniper Networks Junos OS:
o 16.1 versions prior to 16.1R7-S3;
o 16.2 versions prior to 16.2R2-S9;
o 17.1 versions prior to 17.1R3;
o 17.2 versions prior to 17.2R3;
o 17.2X75 versions prior to 17.2X75-D105;
o 17.3 versions prior to 17.3R3-S2;
o 17.4 versions prior to 17.4R1-S7, 17.4R2-S2, 17.4R3;
o 18.1 versions prior to 18.1R3-S2;
o 18.2 versions prior to 18.2R2;
o 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30;
o 18.3 versions prior to 18.3R1-S4, 18.3R2.
Junos OS releases prior to 16.1R1 are not affected.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2019-0049 .
Solution:
The following software releases have been updated to resolve this specific
issue: 16.1R7-S3, 16.2R2-S9, 17.1R3, 17.2R3, 17.2X75-D105, 17.3R3-S2,
17.4R1-S7, 17.4R2-S2, 17.4R3, 18.1R3-S2, 18.2R2, 18.2X75-D12, 18.2X75-D30,
18.3R1-S4, 18.3R2, 18.4R1, and all subsequent releases.
This issue is being tracked as PR 1337304 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
This issue can be prevented by disabling the BGP graceful restart mechanism,
including graceful restart helper mode:
[protocols bgp graceful-restart disable]
Furthermore, the risk associated with this issue can be mitigated by limiting
BGP sessions only from trusted peers.
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .
Modification History:
o 2019-07-10: Initial Publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o CVE-2019-0049 at cve.mitre.org
CVSS Score:
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------------------------------------------------------------
2019-07 Security Bulletin: Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053)
Article ID: JSA10947
Last Updated: 10 Jul 2019
Version: 1.0
Product Affected:
This issue affects all products and platforms running Junos OS.
Problem:
Insufficient validation of environment variables in the telnet client supplied
in Junos OS can lead to stack-based buffer overflows, which can be exploited to
bypass veriexec restrictions on Junos OS. A stack-based overflow is present in
the handling of environment variables when connecting via the telnet client to
remote telnet servers.
This issue only affects the telnet client - accessible from the CLI or shell -
in Junos OS. Inbound telnet services are not affected by this issue.
This issue affects Juniper Networks Junos OS:
o 12.3 versions prior to 12.3R12-S13;
o 12.3X48 versions prior to 12.3X48-D80;
o 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49;
o 15.1 versions prior to 15.1F6-S12, 15.1R7-S4;
o 15.1X49 versions prior to 15.1X49-D170;
o 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591,
15.1X53-D69;
o 16.1 versions prior to 16.1R3-S11, 16.1R7-S4;
o 16.2 versions prior to 16.2R2-S9;
o 17.1 versions prior to 17.1R3;
o 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1;
o 17.3 versions prior to 17.3R3-S4;
o 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3;
o 18.1 versions prior to 18.1R2-S4, 18.1R3-S3;
o 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3;
o 18.2X75 versions prior to 18.2X75-D40;
o 18.3 versions prior to 18.3R1-S3, 18.3R2;
o 18.4 versions prior to 18.4R1-S2, 18.4R2.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was discovered during external security research.
This issue has been assigned CVE-2019-0053 .
Solution:
The following software releases have been updated to resolve this specific
issue: 12.3R12-S13, 12.3X48-D80, 12.3X48-D85, 14.1X53-D130, 14.1X53-D49,
15.1F6-S12, 15.1R7-S4, 15.1X49-D170, 15.1X53-D237, 15.1X53-D496, 15.1X53-D591,
15.1X53-D69, 16.1R3-S11, 16.1R7-S4, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7,
17.2R3-S1, 17.3R3-S4, 17.4R1-S6, 17.4R2-S3, 17.4R3, 18.1R2-S4, 18.1R3-S3,
18.2R1-S5, 18.2R2-S2, 18.2R3, 18.2X75-D40, 18.3R1-S3, 18.3R2, 18.4R1-S2,
18.4R2, 19.1R1, and all subsequent releases.
This issue is being tracked as PR 1409847 which is visible on the Customer
Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
Since this issue is specific to outbound telnet connections to a malicious host
from the local telnet client, mitigation includes:
o limiting access to the Junos CLI and shell from only from trusted
administrators
o blocking outbound telnet connections via a stateless firewall filter
o denying access to the ' telnet ' command and the Junos shell
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .
Modification History:
o 2019-07-10: Initial Publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o CVE-2019-0053 at cve.mitre.org
CVSS Score:
7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to would like to acknowledge and thank Matthew
Hickey, Hacker House ( https://hacker.house/ ), who reported this issue on
November 12, 2018.
- --------------------------------------------------------------------------------
2019-07 Security Bulletin: Junos OS: OpenSSL Security Advisory [26 Feb 2019]
Article ID: JSA10949
Last Updated: 10 Jul 2019
Version: 1.0
Product Affected:
These issues affect all products and platforms running Junos OS.
Problem:
The OpenSSL project has published a security advisory for a vulnerability
resolved in the OpenSSL library on February 28, 2019.
Affected releases are Juniper Networks Junos OS:
o 12.3X48 versions prior to 12.3X48-D80;
o 14.1X53 versions prior to 14.1X53-D51;
o 15.1 versions prior to 15.1F6-S13, 15.1R7-S4;
o 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180;
o 15.1X53 versions prior to 15.1X53-D238, 15.1X53-D591, 15.1X53-D69;
o 16.1 versions prior to 16.1R7-S5;
o 16.2 versions prior to 16.2R2-S9;
o 17.1 versions prior to 17.1R3;
o 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1;
o 17.3 versions prior to 17.3R3-S4;
o 17.4 versions prior to 17.4R1-S7, 17.4R2-S4, 17.4R3;
o 18.1 versions prior to 18.1R2-S4, 18.1R3-S5;
o 18.2 versions prior to 18.2R1-S5, 18.2R2-S3, 18.2R3;
o 18.2X75 versions prior to 18.2X75-D50;
o 18.3 versions prior to 18.3R1-S3, 18.3R1-S4, 18.3R2;
o 18.4 versions prior to 18.4R1-S2, 18.4R2;
o 19.1 versions prior to 19.1R1-S1, 19.1R2.
Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
These issues were discovered during external security research.
The important security issue resolved is described below:
CVE CVSS Summary
If an application encounters a fatal protocol error
and then calls SSL_shutdown() twice (once to send a
close_notify, and once to receive one) then OpenSSL
can respond differently to the calling application if
a 0 byte record is received with invalid padding
compared to if a 0 byte record is received with an
5.9 ( invalid MAC. If the application then behaves
CVSS:3.0/ differently based on that in a way that is detectable
CVE-2019-1559 AV:N/AC:H/ to the remote peer, then this amounts to a padding
PR:N/UI:N/ oracle that could be used to decrypt data. In order
S:U/C:H/I:N for this to be exploitable "non-stitched"
/A:N ) ciphersuites must be in use. Stitched ciphersuites
are optimised implementations of certain commonly
used ciphersuites. Also the application must call
SSL_shutdown() twice even if a protocol error has
occurred (applications should not do this but some do
anyway). Fixed in OpenSSL 1.0.2r (Affected
1.0.2-1.0.2q).
Solution:
The following software releases have been updated to resolve this specific
issue: 12.3X48-D80, 14.1X53-D51, 15.1F6-S13, 15.1R7-S4, 15.1X49-D171,
15.1X49-D180, 15.1X53-D238, 15.1X53-D591, 15.1X53-D69, 16.1R7-S5, 16.2R2-S9,
17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3-S1, 17.3R3-S4, 17.4R1-S7, 17.4R2-S4,
17.4R3, 18.1R2-S4, 18.1R3-S5, 18.2R1-S5, 18.2R2-S3, 18.2R3, 18.2X75-D50,
18.3R1-S3, 18.3R1-S4, 18.3R2, 18.4R1-S2, 18.4R2, 19.1R1-S1, 19.1R2, 19.2R1, and
all subsequent releases.
This issue is being tracked as PR 1419533 which is visible on the Customer
Support website.
Workaround:
Since SSL is used for remote network configuration and management applications
such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for
this issue in Junos may include:
o Disabling J-Web
o Disable SSL service for JUNOScript and only use Netconf, which makes use of
SSH, to make configuration changes
o Limit access to J-Web and XNM-SSL from only trusted networks
o Avoid connecting to untrusted servers for file copy operations
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .
Modification History:
o 2019-07-10: Initial Publication
Related Links:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o CVE-2019-1559 at cve.mitre.org
CVSS Score:
5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Risk Level:
Medium
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXSfY8GaOgq3Tt24GAQgHFw//YHObAU5lD6HV4rOmB8A0Uk5BZAbRDHfL
cirgrdXny4hb7KrXb8TYO/N6CZICrA6CzHPmq0awuzT5fQHZrpuxGluHmr3sU7pK
wgnJKlpRrW/CU3by82S/cHzwU1eiJg1h6HD0UvHmEiJfPeQbq+cZ6hpxJ9Vy/fKe
ohotcdHOChzPFjua0aPS44/fLpmMrsCYVxQIPF+HBjECOMZ6aC/0lQRLJGYEzWfB
sW4fatku3Yl/ijIgNCb3MrgZ/FGbkQZlGi5SIrg5epD4lPK7/bhi1rAgdc//emP/
DgsNevEfiO5PL2uQg/+kI7zAzPQyS/EQVnoh23Rra9mqBN1l20053ksJMRSf7POz
jHaRdLnDlOPyXdKCcoT5OBsaTW8dPKsHQCl+4cPd7/vY/8Tq6VZc9wzpnfqriy34
TqfP5idiRbBqAdSIJnREJ9ooJOjRwXeNZf6X9uAynVh24sD8SoiOKziWXEniKSeH
G+4RYcC/6UFed7D/jLXdXXI3D7htJH+KiYSuMpT7C161r4WgccKI9WOgPGHEUZKG
O5Ry2EBwRIO882cjRAx2uBzRWC6mQ/G9jI17z5FVnMJroa8CDkPfP3KjbF63Etc4
B1xBgigSxxbNKxO3uhmGMC/L20rtVWCSlG4A0tFHh5sXqwvXmD30GpfwCCWtTWOt
kZpdm3Nyruo=
=lLRO
-----END PGP SIGNATURE-----