Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1288 JSA11140 - 2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due to a race condition input loopback firewall filters applied to interfaces may not operate even when listed in the running configuration. 16 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS: PTX Series Junos OS: QFX Series Publisher: Juniper Networks Operating System: Juniper Impact/Access: Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-0247 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11140 - --------------------------BEGIN INCLUDED TEXT-------------------- 2021-04 Security Bulletin: Junos OS: PTX Series, QFX Series: Due to a race condition input loopback firewall filters applied to interfaces may not operate even when listed in the running configuration. (CVE-2021-0247) Article ID : JSA11140 Last Updated: 15 Apr 2021 Version : 2.0 Product Affected: This issue affects Junos OS 14.1, 14.1X53, 15.1, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2. Affected platforms: PTX Series, QFX Series. Problem: A Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization) vulnerability in the firewall process (dfwd) of Juniper Networks Junos OS allows an attacker to bypass the firewall rule sets applied to the input loopback filter on any interfaces of a device. This issue is detectable by reviewing the PFE firewall rules, as well as the firewall counters and seeing if they are incrementing or not. For example: show firewall Filter: __default_bpdu_filter__ Filter: FILTER-INET-01 Counters: Name Bytes Packets output-match-inet 0 0 <<<<<< missing firewall packet count This issue affects: Juniper Networks Junos OS: o 14.1X53 versions prior to 14.1X53-D53 on QFX Series; o 14.1 versions 14.1R1 and later versions prior to 15.1 versions prior to 15.1R7-S6 on QFX Series, PTX Series; o 15.1X53 versions prior to 15.1X53-D593 on QFX Series; o 16.1 versions prior to 16.1R7-S7 on QFX Series, PTX Series; o 16.2 versions prior to 16.2R2-S11, 16.2R3 on QFX Series, PTX Series; o 17.1 versions prior to 17.1R2-S11, 17.1R3-S2 on QFX Series, PTX Series; o 17.2 versions prior to 17.2R1-S9, 17.2R3-S3 on QFX Series, PTX Series; o 17.3 versions prior to 17.3R2-S5, 17.3R3-S7 on QFX Series, PTX Series; o 17.4 versions prior to 17.4R2-S9, 17.4R3 on QFX Series, PTX Series; o 18.1 versions prior to 18.1R3-S9 on QFX Series, PTX Series; o 18.2 versions prior to 18.2R2-S6, 18.2R3-S3 on QFX Series, PTX Series; o 18.3 versions prior to 18.3R1-S7, 18.3R2-S3, 18.3R3-S1 on QFX Series, PTX Series; o 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3 on QFX Series, PTX Series; o 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 on QFX Series, PTX Series; o 19.2 versions prior to 19.2R1-S3, 19.2R2 on QFX Series, PTX Series. This issue impact all filters families (inet, inet6, etc.) yet only on input loopback filters. It does not does not rely upon the location where a filter is set, impacting both logical and physical interfaces. Configuration examples for input filtering are posted on the support site and in product documentation. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2021-0247 . Solution: The following software releases have been updated to resolve this specific issue: Junos OS 14.1X53-D53, 15.1R7-S6, 15.1X53-D593, 16.1R7-S7, 16.2R2-S11, 16.2R3, 17.1R2-S11, 17.1R3-S2, 17.2R1-S9, 17.2R3-S3, 17.3R2-S5, 17.3R3-S7, 17.4R2-S9, 17.4R3, 18.1R3-S9, 18.2R2-S6, 18.2R3-S3, 18.3R1-S7, 18.3R2-S3, 18.3R3-S1, 18.4R1-S5, 18.4R2-S3, 18.4R3, 19.1R1-S4, 19.1R2-S1, 19.1R3, 19.2R1-S3, 19.2R2, 19.3R1, and all subsequent releases. This issue is being tracked as 1430385 . Workaround: There are no viable workarounds for this issue. Implementation: Software releases or updates are available for download at https:// support.juniper.net/support/downloads/ Modification History: 2021-04-14: Initial Publication. 2021-04-15: Removed spurious 18.4R2-S7 release entry in problem description. CVSS Score: 5.1 (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L) Severity Level: Medium Severity Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYHje5ONLKJtyKPYoAQiMzQ/8DwTqk5HcKojdutRzMbTRaE3qR3Qn8hnU 0yquz/M+oA+TYA0YXK5hBPC9tmdhXkUEP/dtJc6wgeNIiCqNC2WUA3vtK/m3MViD +1lr9W9uB+VBCma68QDGBGdlfQpES/LxAICSu+65setPIc+GwYK7utYrkxTUPnBv 9DXdY+GWyGWXz8OnpR1jjLZpX+teZPGPJQPWm1Ai+aFj0G2m2lx1mxg8+BEz+fTK G+j3cPr/ciauhEEJyp6Tq5s3pYuT5PnoO+KnsTl/nq0L+IWu8HHToqkM1ggmj94s FzGTDThMUOzujeDXgy6Nm2VtflwK9QJsGpxpVpQwstzwrndvX28N2pZWU+RT2Ebo 9husVrgtEdqZFZuOthonQGXUSVc53SaW3+oXgpsUIdVkNLCsu2VnGBJodPHawlOi yPoFumr4/nAmxBiRPPckYLdVATNkjBY8MS19lPQkex3S5FTbrIFHlyIivZkqgAYx MbzW0dJoPmuryvtBRPSfKTbXmTlFTcPMzeJoaY3dQrjyDOCbO2D0p07l+/k+uA02 YiWsYjJmw0AEAuQNMONvwORbU26jXCIvg+fGnCdr3X4e1fKnmeuRAV7rdlWDE8+B /X1oZAXUwkG08E9WK6x9zQ4XxhQCO1khymG3qzUTWvEEFlRLKdVj6dCw3vWHQkGI hb54Y90MoOA= =x5yL -----END PGP SIGNATURE-----