Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1456 JSA11021 - 2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services 28 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-1631 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021 - --------------------------BEGIN INCLUDED TEXT-------------------- 2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services Article ID : JSA11021 Last Updated: 27 Apr 2020 Version : 3.0 Product Affected: This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1. Problem: A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable file permission or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/ C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N /AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.con f To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/ AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns " =*;*& " or " *%3b*& " in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. The examples of the config stanza affected by this issue: [system services web-management http] [system services web-management https] [security dynamic-vpn] This issue was discovered during an external security research. This issue has been assigned CVE-2020-1631. Solution: The following software releases have been updated to resolve this specific issue: 12.3X48-D101, 12.3X48-D105, 15.1X49-D211, 15.1X49-D220, 17.4R3-S2, 18.1R3-S10, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all subsequent releases. Note: At the time of this publication, the following fixed releases are available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4, 18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in future time. The 20.1R1-S1 release is currently available for SRX380 only. 12.3X48-D101 & 15.1X49-D211 releases can be downloaded from the below URLs: 12.3X48-D101 : Branch SRX-Series Install Package (for SRX100H2, SRX110HE2, SRX210H2, SRX220H2, SRX240H2, SRX550, SRX650): junos-srxsme-12.3X48-D101-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107438.html MD5 = b822376f7a385e74499b186cf28c122b SHA-1 = e6138e45bf9d29e962468e6e114e537142d4cc0d SHA-256 = b21a9ae9f5d0b0ec25180682193faba7bf54e836fda0eb78babd3df843f90e6a SRX 1000/3000-Series Install Package : junos-srx1k3k-12.3X48-D101-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107436.html MD5 = b93229ea43f66b539f22ecc5a9be0f07 SHA-1 = 2c625e9bc155b9fcb4c9a1a371bba473363ee6f0 SHA-256 = 982434f9cde9492e1d80d14c43a7cdcc5261db15a11f65fa7c9881a0fc0cd3db SRX5000-Series Install Package: junos-srx5000-12.3X48-D101-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107437.html MD5 = 7dc73801b7680fda42d453d6d3d6f10c SHA-1 = 05f1eda5ec112c7e2afeebea4d47c007e0a8bd60 SHA-256 = 88d40e4b6b949a5c656c2b5fffa3adb41fe4943fb3e5d9cfaa439e603889e839 15.1X49-D211: SRX300 & SRX500-Series Install Package: junos-srxsme-15.1X49-D211-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107439.html MD5 = dfd3428c7f83eb11142bbe32bac2a151 SHA-1 = a22f0ead795c8afb0a4d59d1b9b785c83801cd65 SHA-256 = dc42e24db0e2af7b2e6aaafdaa61f8e658fabc91c8a888efad586a5fbd2fa29a SRX1500 Install Package: junos-srxentedge-15.1X49-D211-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107442.html MD5 = 348f2fcd96b31d51b9d71147d09fabd8 SHA-1 = cf8ee775ca1ca12706975fdd0748c1967732c2fe SHA-256 = 62d460ea531161936f0ac75fa4501bc6cadb700388bdb93b7e706a09e985eff5 SRX4100 and SRX4200 Install Package: junos-srxmr-15.1X49-D211-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107441.html MD5 = 55b4c96b05b5fd9595a8ee071dbbf438 SHA-1 = ae6d7978964c3be6b632033b3616208e47653617 SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1 SRX5000 Series Install Package: junos-srx5000-15.1X49-D211-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107440.html MD5 = b918fa5a341815ccdb230560539e8725 SHA-1 = 38e912a55f1407e18e1bb8305f854fcd97c1adcb SHA-256 = c1aaafdd9b23a525236c414e4cf213542246326317070b5e98ac5cccc5fa1e72 vSRX Upgrade TGZ: junos-vsrx-15.1X49-D211-domestic.tgz https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107452.html MD5 = 55b4c96b05b5fd9595a8ee071dbbf438 SHA-1 = ae6d7978964c3be6b632033b3616208e47653617 SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1 This issue is being tracked in PR 1499280 . Workaround: There are no viable workarounds for this issue. It is highly recommended to disable HTTP/HTTPS service and DVPN: user@device# deactivate system services web-management user@device# deactivate security dynamic-vpn (if DVPN is configured) user@device# commit or allowing HTTP service only on from trusted hosts or networks (refer to https://kb.juniper.net/KB21265 for details on how to limit HTTP service). Implementation: Software Releases, patches and updates are available at https://www.juniper.net /support/downloads/ . Modification History: 2020-04-27: Initial Publication CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Severity Level: High Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: The Juniper SIRT would like to acknowledge and thank Liang Bian and Leishen Song (@rayh4c) of 360 ATA for reporting this issue. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXqewUGaOgq3Tt24GAQgscg/9FeauFcbgr7Znuv0yDYabTn3dSTUV45uo ewryciYpEj8spgxsIi2K3VA4p+7JvKAN/21hFACxYIL9tjzKJCVVLUoemAcOUv0w yOUzuyrlxlk2t50R6IiWveNVff2yyrFfKjbusegwMJejpZAXuIGpx9gKhyJLUbun pvGPS+0rR95/M4YTtO6fUX2huAaXX69mZAgk8tzz0ewEJQxrq2/Qdy0UIJenvT83 q+fTEAd84tc1+6pBIYraXn0ttUE95tsFh8yrVDl/Ityyj+iP0gcbVdzIq5GhzbE1 1qgiRRc0QFq2J8paFXaXF9YGuI0ap9/5EJ13rS77vKrfwLeQmRuFJbzjN2Ex04SU fKFnmGfDKINhQDWiMounrIi4aFqOa2iodj45RsoL3nFzFL/Q/t61t1ySHEzB7QUh koWClvGDpiZq4fHHfCyGMMUw3sIdK/hUIhUycUENiASAH5XTpkR2aYJPI9ZNhCRw LVCHPef/p15QAGkgfJReDkJZ3O5lk/gISsY+3KPJjid8p+Vv0qKiyqBshE/biw1x AqWDNopQSgZKZBSIh7GT/qU8VunQaHVKKard7TVXK8so4uKV6p9h0MJjlV93WWB1 lAfpUTungcClCnby3hv02lXdBQ4RRpsxVI/106/rRQYsOo2Lp1by3GT47P/3NCVY Mx5R56TjDFI= =3OnY -----END PGP SIGNATURE-----