Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1456
JSA11021 - 2020-04 Out of Cycle Security Advisory: Junos OS: Security
vulnerability in J-Web and web based (HTTP/HTTPS) services
28 April 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1631
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021
- --------------------------BEGIN INCLUDED TEXT--------------------
2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services
Article ID : JSA11021
Last Updated: 27 Apr 2020
Version : 3.0
Product Affected:
This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 17.1, 17.2,
17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1.
Problem:
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication,
Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and
Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform
local file inclusion (LFI) or path traversal.
Using this vulnerability, an attacker may be able to inject commands into the
httpd.log, read files with 'world' readable file permission or obtain J-Web
session tokens.
In the case of command injection, as the HTTP service runs as user 'nobody',
the impact of this command injection is limited. (CVSS score 5.3, vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
In the case of reading files with 'world' readable permission, in Junos OS
19.3R1 and above, the unauthenticated attacker would be able to read the
configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/
C:H/I:N/A:N)
If J-Web is enabled, the attacker could gain the same level of access of anyone
actively logged into J-Web. If an administrator is logged in, the attacker
could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N
/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS
services enabled.
Junos OS devices with HTTP/HTTPS services disabled are not affected.
If HTTP/HTTPS services are enabled, the following command will show the httpd
processes:
user@device> show system processes | match http
5260 - S 0:00.13 /usr/sbin/httpd-gk -N
5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.con f
To summarize:
If HTTP/HTTPS services are disabled, there is no impact from this
vulnerability.
If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability
has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/
AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Juniper SIRT has received a single report of this vulnerability being exploited
in the wild. Out of an abundance of caution, we are notifying customers so they
can take appropriate actions.
Indicators of Compromise:
The /var/log/httpd.log may have indicators that commands have injected or files
being accessed.
The device administrator can look for these indicators by searching for the
string patterns " =*;*& " or " *%3b*& " in /var/log/httpd.log, using the
following command:
user@device> show log httpd.log | match "=*;*&|=*%3b*&"
If this command returns any output, it might be an indication of malicious
attempts or simply scanning activities.
Rotated logs should also be reviewed, using the following command:
user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&"
user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&"
Note that a skilled attacker would likely remove these entries from the local
log file, thus effectively eliminating any reliable signature that the device
had been attacked.
The examples of the config stanza affected by this issue:
[system services web-management http]
[system services web-management https]
[security dynamic-vpn]
This issue was discovered during an external security research.
This issue has been assigned CVE-2020-1631.
Solution:
The following software releases have been updated to resolve this specific
issue: 12.3X48-D101, 12.3X48-D105, 15.1X49-D211, 15.1X49-D220, 17.4R3-S2,
18.1R3-S10, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1,
19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all
subsequent releases.
Note: At the time of this publication, the following fixed releases are
available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4,
18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in
future time.
The 20.1R1-S1 release is currently available for SRX380 only.
12.3X48-D101 & 15.1X49-D211 releases can be downloaded from the below URLs:
12.3X48-D101 :
Branch SRX-Series Install Package (for SRX100H2, SRX110HE2, SRX210H2, SRX220H2,
SRX240H2, SRX550, SRX650): junos-srxsme-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107438.html
MD5 = b822376f7a385e74499b186cf28c122b
SHA-1 = e6138e45bf9d29e962468e6e114e537142d4cc0d
SHA-256 = b21a9ae9f5d0b0ec25180682193faba7bf54e836fda0eb78babd3df843f90e6a
SRX 1000/3000-Series Install Package : junos-srx1k3k-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107436.html
MD5 = b93229ea43f66b539f22ecc5a9be0f07
SHA-1 = 2c625e9bc155b9fcb4c9a1a371bba473363ee6f0
SHA-256 = 982434f9cde9492e1d80d14c43a7cdcc5261db15a11f65fa7c9881a0fc0cd3db
SRX5000-Series Install Package: junos-srx5000-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107437.html
MD5 = 7dc73801b7680fda42d453d6d3d6f10c
SHA-1 = 05f1eda5ec112c7e2afeebea4d47c007e0a8bd60
SHA-256 = 88d40e4b6b949a5c656c2b5fffa3adb41fe4943fb3e5d9cfaa439e603889e839
15.1X49-D211:
SRX300 & SRX500-Series Install Package: junos-srxsme-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107439.html
MD5 = dfd3428c7f83eb11142bbe32bac2a151
SHA-1 = a22f0ead795c8afb0a4d59d1b9b785c83801cd65
SHA-256 = dc42e24db0e2af7b2e6aaafdaa61f8e658fabc91c8a888efad586a5fbd2fa29a
SRX1500 Install Package: junos-srxentedge-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107442.html
MD5 = 348f2fcd96b31d51b9d71147d09fabd8
SHA-1 = cf8ee775ca1ca12706975fdd0748c1967732c2fe
SHA-256 = 62d460ea531161936f0ac75fa4501bc6cadb700388bdb93b7e706a09e985eff5
SRX4100 and SRX4200 Install Package: junos-srxmr-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107441.html
MD5 = 55b4c96b05b5fd9595a8ee071dbbf438
SHA-1 = ae6d7978964c3be6b632033b3616208e47653617
SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1
SRX5000 Series Install Package: junos-srx5000-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107440.html
MD5 = b918fa5a341815ccdb230560539e8725
SHA-1 = 38e912a55f1407e18e1bb8305f854fcd97c1adcb
SHA-256 = c1aaafdd9b23a525236c414e4cf213542246326317070b5e98ac5cccc5fa1e72
vSRX Upgrade TGZ: junos-vsrx-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107452.html
MD5 = 55b4c96b05b5fd9595a8ee071dbbf438
SHA-1 = ae6d7978964c3be6b632033b3616208e47653617
SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1
This issue is being tracked in PR 1499280 .
Workaround:
There are no viable workarounds for this issue.
It is highly recommended to disable HTTP/HTTPS service and DVPN:
user@device# deactivate system services web-management
user@device# deactivate security dynamic-vpn (if DVPN is configured)
user@device# commit
or allowing HTTP service only on from trusted hosts or networks (refer to
https://kb.juniper.net/KB21265 for details on how to limit HTTP service).
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net
/support/downloads/ .
Modification History:
2020-04-27: Initial Publication
CVSS Score:
8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to acknowledge and thank Liang Bian and Leishen
Song (@rayh4c) of 360 ATA for reporting this issue.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXqewUGaOgq3Tt24GAQgscg/9FeauFcbgr7Znuv0yDYabTn3dSTUV45uo
ewryciYpEj8spgxsIi2K3VA4p+7JvKAN/21hFACxYIL9tjzKJCVVLUoemAcOUv0w
yOUzuyrlxlk2t50R6IiWveNVff2yyrFfKjbusegwMJejpZAXuIGpx9gKhyJLUbun
pvGPS+0rR95/M4YTtO6fUX2huAaXX69mZAgk8tzz0ewEJQxrq2/Qdy0UIJenvT83
q+fTEAd84tc1+6pBIYraXn0ttUE95tsFh8yrVDl/Ityyj+iP0gcbVdzIq5GhzbE1
1qgiRRc0QFq2J8paFXaXF9YGuI0ap9/5EJ13rS77vKrfwLeQmRuFJbzjN2Ex04SU
fKFnmGfDKINhQDWiMounrIi4aFqOa2iodj45RsoL3nFzFL/Q/t61t1ySHEzB7QUh
koWClvGDpiZq4fHHfCyGMMUw3sIdK/hUIhUycUENiASAH5XTpkR2aYJPI9ZNhCRw
LVCHPef/p15QAGkgfJReDkJZ3O5lk/gISsY+3KPJjid8p+Vv0qKiyqBshE/biw1x
AqWDNopQSgZKZBSIh7GT/qU8VunQaHVKKard7TVXK8so4uKV6p9h0MJjlV93WWB1
lAfpUTungcClCnby3hv02lXdBQ4RRpsxVI/106/rRQYsOo2Lp1by3GT47P/3NCVY
Mx5R56TjDFI=
=3OnY
-----END PGP SIGNATURE-----