Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2563 Security Bulletin: Junos OS updates address multiple issues 12 July 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Access Privileged Data -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1559 CVE-2019-0053 CVE-2019-0049 Reference: ASB-2019.0147 ASB-2019.0128 ESB-2019.2303 ESB-2019.2255 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10943 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10947 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10949 Comment: This bulletin contains three (3) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2019-07 Security Bulletin: Junos OS: RPD process crashes when BGP peer restarts (CVE-2019-0049) Article ID: JSA10943 Last Updated: 10 Jul 2019 Version: 1.0 Product Affected: This issue affects all products and platforms running Junos OS. Problem: On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a certain sequence of BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart. Repeated crashes of the RPD process can cause prolonged Denial of Service (DoS). Graceful restart helper mode for BGP is enabled by default. No other Juniper Networks products or platforms are affected by this issue. Affected releases are Juniper Networks Junos OS: o 16.1 versions prior to 16.1R7-S3; o 16.2 versions prior to 16.2R2-S9; o 17.1 versions prior to 17.1R3; o 17.2 versions prior to 17.2R3; o 17.2X75 versions prior to 17.2X75-D105; o 17.3 versions prior to 17.3R3-S2; o 17.4 versions prior to 17.4R1-S7, 17.4R2-S2, 17.4R3; o 18.1 versions prior to 18.1R3-S2; o 18.2 versions prior to 18.2R2; o 18.2X75 versions prior to 18.2X75-D12, 18.2X75-D30; o 18.3 versions prior to 18.3R1-S4, 18.3R2. Junos OS releases prior to 16.1R1 are not affected. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2019-0049 . Solution: The following software releases have been updated to resolve this specific issue: 16.1R7-S3, 16.2R2-S9, 17.1R3, 17.2R3, 17.2X75-D105, 17.3R3-S2, 17.4R1-S7, 17.4R2-S2, 17.4R3, 18.1R3-S2, 18.2R2, 18.2X75-D12, 18.2X75-D30, 18.3R1-S4, 18.3R2, 18.4R1, and all subsequent releases. This issue is being tracked as PR 1337304 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: This issue can be prevented by disabling the BGP graceful restart mechanism, including graceful restart helper mode: [protocols bgp graceful-restart disable] Furthermore, the risk associated with this issue can be mitigated by limiting BGP sessions only from trusted peers. Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: o 2019-07-10: Initial Publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2019-0049 at cve.mitre.org CVSS Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2019-07 Security Bulletin: Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow (CVE-2019-0053) Article ID: JSA10947 Last Updated: 10 Jul 2019 Version: 1.0 Product Affected: This issue affects all products and platforms running Junos OS. Problem: Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client - accessible from the CLI or shell - in Junos OS. Inbound telnet services are not affected by this issue. This issue affects Juniper Networks Junos OS: o 12.3 versions prior to 12.3R12-S13; o 12.3X48 versions prior to 12.3X48-D80; o 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; o 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; o 15.1X49 versions prior to 15.1X49-D170; o 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; o 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; o 16.2 versions prior to 16.2R2-S9; o 17.1 versions prior to 17.1R3; o 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; o 17.3 versions prior to 17.3R3-S4; o 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; o 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; o 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; o 18.2X75 versions prior to 18.2X75-D40; o 18.3 versions prior to 18.3R1-S3, 18.3R2; o 18.4 versions prior to 18.4R1-S2, 18.4R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during external security research. This issue has been assigned CVE-2019-0053 . Solution: The following software releases have been updated to resolve this specific issue: 12.3R12-S13, 12.3X48-D80, 12.3X48-D85, 14.1X53-D130, 14.1X53-D49, 15.1F6-S12, 15.1R7-S4, 15.1X49-D170, 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69, 16.1R3-S11, 16.1R7-S4, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3-S1, 17.3R3-S4, 17.4R1-S6, 17.4R2-S3, 17.4R3, 18.1R2-S4, 18.1R3-S3, 18.2R1-S5, 18.2R2-S2, 18.2R3, 18.2X75-D40, 18.3R1-S3, 18.3R2, 18.4R1-S2, 18.4R2, 19.1R1, and all subsequent releases. This issue is being tracked as PR 1409847 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Since this issue is specific to outbound telnet connections to a malicious host from the local telnet client, mitigation includes: o limiting access to the Junos CLI and shell from only from trusted administrators o blocking outbound telnet connections via a stateless firewall filter o denying access to the ' telnet ' command and the Junos shell Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: o 2019-07-10: Initial Publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2019-0053 at cve.mitre.org CVSS Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: The Juniper SIRT would like to would like to acknowledge and thank Matthew Hickey, Hacker House ( https://hacker.house/ ), who reported this issue on November 12, 2018. - -------------------------------------------------------------------------------- 2019-07 Security Bulletin: Junos OS: OpenSSL Security Advisory [26 Feb 2019] Article ID: JSA10949 Last Updated: 10 Jul 2019 Version: 1.0 Product Affected: These issues affect all products and platforms running Junos OS. Problem: The OpenSSL project has published a security advisory for a vulnerability resolved in the OpenSSL library on February 28, 2019. Affected releases are Juniper Networks Junos OS: o 12.3X48 versions prior to 12.3X48-D80; o 14.1X53 versions prior to 14.1X53-D51; o 15.1 versions prior to 15.1F6-S13, 15.1R7-S4; o 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180; o 15.1X53 versions prior to 15.1X53-D238, 15.1X53-D591, 15.1X53-D69; o 16.1 versions prior to 16.1R7-S5; o 16.2 versions prior to 16.2R2-S9; o 17.1 versions prior to 17.1R3; o 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; o 17.3 versions prior to 17.3R3-S4; o 17.4 versions prior to 17.4R1-S7, 17.4R2-S4, 17.4R3; o 18.1 versions prior to 18.1R2-S4, 18.1R3-S5; o 18.2 versions prior to 18.2R1-S5, 18.2R2-S3, 18.2R3; o 18.2X75 versions prior to 18.2X75-D50; o 18.3 versions prior to 18.3R1-S3, 18.3R1-S4, 18.3R2; o 18.4 versions prior to 18.4R1-S2, 18.4R2; o 19.1 versions prior to 19.1R1-S1, 19.1R2. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. These issues were discovered during external security research. The important security issue resolved is described below: CVE CVSS Summary If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an 5.9 ( invalid MAC. If the application then behaves CVSS:3.0/ differently based on that in a way that is detectable CVE-2019-1559 AV:N/AC:H/ to the remote peer, then this amounts to a padding PR:N/UI:N/ oracle that could be used to decrypt data. In order S:U/C:H/I:N for this to be exploitable "non-stitched" /A:N ) ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). Solution: The following software releases have been updated to resolve this specific issue: 12.3X48-D80, 14.1X53-D51, 15.1F6-S13, 15.1R7-S4, 15.1X49-D171, 15.1X49-D180, 15.1X53-D238, 15.1X53-D591, 15.1X53-D69, 16.1R7-S5, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3-S1, 17.3R3-S4, 17.4R1-S7, 17.4R2-S4, 17.4R3, 18.1R2-S4, 18.1R3-S5, 18.2R1-S5, 18.2R2-S3, 18.2R3, 18.2X75-D50, 18.3R1-S3, 18.3R1-S4, 18.3R2, 18.4R1-S2, 18.4R2, 19.1R1-S1, 19.1R2, 19.2R1, and all subsequent releases. This issue is being tracked as PR 1419533 which is visible on the Customer Support website. Workaround: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: o Disabling J-Web o Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes o Limit access to J-Web and XNM-SSL from only trusted networks o Avoid connecting to untrusted servers for file copy operations Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: o 2019-07-10: Initial Publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2019-1559 at cve.mitre.org CVSS Score: 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXSfY8GaOgq3Tt24GAQgHFw//YHObAU5lD6HV4rOmB8A0Uk5BZAbRDHfL cirgrdXny4hb7KrXb8TYO/N6CZICrA6CzHPmq0awuzT5fQHZrpuxGluHmr3sU7pK wgnJKlpRrW/CU3by82S/cHzwU1eiJg1h6HD0UvHmEiJfPeQbq+cZ6hpxJ9Vy/fKe ohotcdHOChzPFjua0aPS44/fLpmMrsCYVxQIPF+HBjECOMZ6aC/0lQRLJGYEzWfB sW4fatku3Yl/ijIgNCb3MrgZ/FGbkQZlGi5SIrg5epD4lPK7/bhi1rAgdc//emP/ DgsNevEfiO5PL2uQg/+kI7zAzPQyS/EQVnoh23Rra9mqBN1l20053ksJMRSf7POz jHaRdLnDlOPyXdKCcoT5OBsaTW8dPKsHQCl+4cPd7/vY/8Tq6VZc9wzpnfqriy34 TqfP5idiRbBqAdSIJnREJ9ooJOjRwXeNZf6X9uAynVh24sD8SoiOKziWXEniKSeH G+4RYcC/6UFed7D/jLXdXXI3D7htJH+KiYSuMpT7C161r4WgccKI9WOgPGHEUZKG O5Ry2EBwRIO882cjRAx2uBzRWC6mQ/G9jI17z5FVnMJroa8CDkPfP3KjbF63Etc4 B1xBgigSxxbNKxO3uhmGMC/L20rtVWCSlG4A0tFHh5sXqwvXmD30GpfwCCWtTWOt kZpdm3Nyruo= =lLRO -----END PGP SIGNATURE-----