-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2604
    2021-08 Informational Security Bulletin: Junos Space Log Collector:
          Multiple vulnerabilities found in Log Collector 20.1R1
                               3 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos Space Log Collector
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-20305 CVE-2021-20265 CVE-2021-20233
                   CVE-2021-20225 CVE-2021-3156 CVE-2020-29661
                   CVE-2020-29573 CVE-2020-28374 CVE-2020-27779
                   CVE-2020-27749 CVE-2020-25705 CVE-2020-25647
                   CVE-2020-25643 CVE-2020-25632 CVE-2020-15862
                   CVE-2020-15436 CVE-2020-14385 CVE-2020-14372
                   CVE-2020-14331 CVE-2020-14305 CVE-2020-12825
                   CVE-2020-12723 CVE-2020-12351 CVE-2020-12321
                   CVE-2020-12243 CVE-2020-10878 CVE-2020-10543
                   CVE-2020-8698 CVE-2020-8625 CVE-2020-8622
                   CVE-2020-7595 CVE-2020-1472 CVE-2019-25013
                   CVE-2019-20907 CVE-2019-20636 CVE-2019-20388
                   CVE-2019-20095 CVE-2019-20054 CVE-2019-19956
                   CVE-2019-19807 CVE-2019-19537 CVE-2019-19530
                   CVE-2019-19524 CVE-2019-19523 CVE-2019-19447
                   CVE-2019-19332 CVE-2019-19126 CVE-2019-19063
                   CVE-2019-19062 CVE-2019-19059 CVE-2019-19058
                   CVE-2019-19055 CVE-2019-19046 CVE-2019-17498
                   CVE-2019-17006 CVE-2019-16994 CVE-2019-16233
                   CVE-2019-16231 CVE-2019-15917 CVE-2019-15807
                   CVE-2019-14866 CVE-2019-12614 CVE-2019-12450
                   CVE-2019-11756 CVE-2019-11068 CVE-2019-8696
                   CVE-2019-8675 CVE-2019-5482 CVE-2018-20843
                   CVE-2018-20836 CVE-2017-12652 

Reference:         ASB-2021.0067
                   ASB-2020.0140
                   ESB-2021.2263
                   ESB-2021.2178
                   ESB-2021.1869

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11209

- --------------------------BEGIN INCLUDED TEXT--------------------

2021-08 Informational Security Bulletin: Junos Space Log Collector: Multiple vulnerabilities found in Log Collector 20.1R1

Article ID  : JSA11209
Last Updated: 02 Aug 2021
Version     : 2.0

Product Affected:
These issues affect Junos Space Log Collector 20.1, 20.2, 20.3.
Problem:

Multiple vulnerabilities have been resolved in the Junos Space Log Collector by
updating third party software included with Junos Space or by fixing
vulnerabilities found during external security research.

These issues affect Juniper Networks Junos Space Log Collector

  o 20.1 version 20.1R1 and later versions prior to 20.3R1.

Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.

These issues were discovered during external security research.

Security issues resolved include:

     CVE          CVSS                           Summary
               9.8 (
               CVSS:3.0/
CVE-2017-12652 AV:N/AC:L/ libpng before 1.6.32 does not properly check the
               PR:N/UI:N/ length of chunks against the user limit.
               S:U/C:H/
               I:H/A:H )
               8.1 (
               CVSS:3.0/  An issue was discovered in the Linux kernel before
CVE-2018-20836 AV:N/AC:H/ 4.20. There is a race condition in smp_task_timedout
               PR:N/UI:N/ () and smp_task_done() in drivers/scsi/libsas/
               S:U/C:H/   sas_expander.c, leading to a use-after-free.
               I:H/A:H )
               7.5 (      In libexpat in Expat before 2.2.7, XML input
               CVSS:3.1/  including XML names that contain a large number of
CVE-2018-20843 AV:N/AC:L/ colons could make the XML parser consume a high
               PR:N/UI:N/ amount of RAM and CPU resources while processing
               S:U/C:N/   (enough to be usable for denial-of-service attacks).
               I:N/A:H )
               9.8 (      libxslt through 1.1.33 allows bypass of a protection
               CVSS:3.0/  mechanism because callers of xsltCheckRead and
CVE-2019-11068 AV:N/AC:L/ xsltCheckWrite permit access even upon receiving a -1
               PR:N/UI:N/ error code. xsltCheckRead can return -1 for a crafted
               S:U/C:H/   URL that is not actually invalid and is subsequently
               I:H/A:H )  loaded.
               6.8 AV:N/  Improper refcounting of soft token session objects
CVE-2019-11756 AC:M/Au:N/ could cause a use-after-free and crash (likely
               C:P/I:P/   limited to a denial of service). This vulnerability
               A:P        affects Firefox < 71.
               9.8 (
               CVSS:3.0/  file_copy_fallback in gio/gfile.c in GNOME GLib
CVE-2019-12450 AV:N/AC:L/ 2.15.0 through 2.61.1 does not properly restrict file
               PR:N/UI:N/ permissions while a copy operation is in progress.
               S:U/C:H/   Instead, default permissions are used.
               I:H/A:H )
                          An issue was discovered in dlpar_parse_cc_property in
               4.7 AV:L/  arch/powerpc/platforms/pseries/dlpar.c in the Linux
CVE-2019-12614 AC:M/Au:N/ kernel through 5.1.6. There is an unchecked kstrdup
               C:N/I:N/   of prop->name, which might allow an attacker to cause
               A:C        a denial of service (NULL pointer dereference and
                          system crash).
                          In all versions of cpio before 2.13 does not properly
                          validate input files when generating TAR archives.
               6.9 AV:L/  When cpio is used to create TAR archives from paths
               AC:M/Au:N/ an attacker can write to, the resulting archive may
CVE-2019-14866 C:C/I:C/   contain files with permissions the attacker did not
               A:C        have or in paths he did not have access to.
                          Extracting those archives from a high-privilege user
                          without carefully reviewing them may lead to the
                          compromise of the system.
               4.7 AV:L/  In the Linux kernel before 5.1.13, there is a memory
CVE-2019-15807 AC:M/Au:N/ leak in drivers/scsi/libsas/sas_expander.c when SAS
               C:N/I:N/   expander discovery fails. This will cause a BUG and
               A:C        denial of service.
               6.9 AV:L/  An issue was discovered in the Linux kernel before
CVE-2019-15917 AC:M/Au:N/ 5.0.5. There is a use-after-free issue when
               C:C/I:C/   hci_uart_register_dev() fails in hci_uart_set_proto()
               A:C        in drivers/bluetooth/hci_ldisc.c.
               4.7 AV:L/  drivers/net/fjes/fjes_main.c in the Linux kernel
CVE-2019-16231 AC:M/Au:N/ 5.2.14 does not check the alloc_workqueue return
               C:N/I:N/   value, leading to a NULL pointer dereference.
               A:C
               4.7 AV:L/  drivers/scsi/qla2xxx/qla_os.c in the Linux kernel
CVE-2019-16233 AC:M/Au:N/ 5.2.14 does not check the alloc_workqueue return
               C:N/I:N/   value, leading to a NULL pointer dereference.
               A:C
               4.7 (      In the Linux kernel before 5.0, a memory leak exists
               CVSS:3.1/  in sit_init_net() in net/ipv6/sit.c when
CVE-2019-16994 AV:L/AC:H/ register_netdev() fails to register sitn->
               PR:L/UI:N/ fb_tunnel_dev, which may cause denial of service, aka
               S:U/C:N/   CID-07f12b26e21a.
               I:N/A:H )
               9.8 (      In Network Security Services (NSS) before 3.46,
               CVSS:3.1/  several cryptographic primitives had missing length
CVE-2019-17006 AV:N/AC:L/ checks. In cases where the application calling the
               PR:N/UI:N/ library did not perform a sanity check on the inputs
               S:U/C:H/   it could result in a crash due to a buffer overflow.
               I:H/A:H )
                          ** DISPUTED ** A memory leak in the
                          __ipmi_bmc_register() function in drivers/char/ipmi/
               6.8 AV:N/  ipmi_msghandler.c in the Linux kernel through 5.3.11
CVE-2019-19046 AC:L/Au:S/ allows attackers to cause a denial of service (memory
               C:N/I:N/   consumption) by triggering ida_simple_get() failure,
               A:C        aka CID-4aa7afb0ee20. NOTE: third parties dispute the
                          relevance of this because an attacker cannot
                          realistically control this failure at probe time.
                          ** DISPUTED ** A memory leak in the
                          nl80211_get_ftm_responder_stats() function in net/
               4.9 AV:L/  wireless/nl80211.c in the Linux kernel through 5.3.11
CVE-2019-19055 AC:L/Au:N/ allows attackers to cause a denial of service (memory
               C:N/I:N/   consumption) by triggering nl80211hdr_put() failures,
               A:C        aka CID-1399c59fa929. NOTE: third parties dispute the
                          relevance of this because it occurs on a code path
                          where a successful allocation has already occurred.
                          A memory leak in the alloc_sgtable() function in
               4.7 AV:L/  drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the
CVE-2019-19058 AC:M/Au:N/ Linux kernel through 5.3.11 allows attackers to cause
               C:N/I:N/   a denial of service (memory consumption) by
               A:C        triggering alloc_page() failures, aka
                          CID-b4b814fec1a5.
                          Multiple memory leaks in the
               4.7 AV:L/  iwl_pcie_ctxt_info_gen3_init() function in drivers/
               AC:M/Au:N/ net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in
CVE-2019-19059 C:N/I:N/   the Linux kernel through 5.3.11 allow attackers to
               A:C        cause a denial of service (memory consumption) by
                          triggering iwl_pcie_init_fw_sec() or
                          dma_alloc_coherent() failures, aka CID-0f4f199443fa.
               4.7 AV:L/  A memory leak in the crypto_report() function in
               AC:M/Au:N/ crypto/crypto_user_base.c in the Linux kernel through
CVE-2019-19062 C:N/I:N/   5.3.11 allows attackers to cause a denial of service
               A:C        (memory consumption) by triggering crypto_report_alg
                          () failures, aka CID-ffdde5932042.
               4.6 (      Two memory leaks in the rtl_usb_probe() function in
               CVSS:3.1/  drivers/net/wireless/realtek/rtlwifi/usb.c in the
CVE-2019-19063 AV:P/AC:L/ Linux kernel through 5.3.11 allow attackers to cause
               PR:N/UI:N/ a denial of service (memory consumption), aka
               S:U/C:N/   CID-3f9361695113.
               I:N/A:H )
                          An out-of-bounds memory write issue was found in the
                          Linux Kernel, version 3.13 through 5.4, in the way
               5.6 AV:L/  the Linux kernel's KVM hypervisor handled the
CVE-2019-19332 AC:L/Au:N/ 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get
               C:N/I:P/   CPUID features emulated by the KVM hypervisor. A user
               A:C        or process able to access the '/dev/kvm' device could
                          use this flaw to crash the system, resulting in a
                          denial of service.
               6.8 AV:N/  In the Linux kernel 5.0.21, mounting a crafted ext4
               AC:M/Au:N/ filesystem image, performing some operations, and
CVE-2019-19447 C:P/I:P/   unmounting can lead to a use-after-free in
               A:P        ext4_put_super in fs/ext4/super.c, related to
                          dump_orphan_list in fs/ext4/super.c.
               4.9 AV:L/  In the Linux kernel before 5.3.7, there is a
CVE-2019-19523 AC:L/Au:N/ use-after-free bug that can be caused by a malicious
               C:N/I:N/   USB device in the drivers/usb/misc/adutux.c driver,
               A:C        aka CID-44efc269db79.
               4.9 AV:L/  In the Linux kernel before 5.3.12, there is a
CVE-2019-19524 AC:L/Au:N/ use-after-free bug that can be caused by a malicious
               C:N/I:N/   USB device in the drivers/input/ff-memless.c driver,
               A:C        aka CID-fa3a5a1880c9.
               4.9 AV:L/  In the Linux kernel before 5.2.10, there is a
CVE-2019-19530 AC:L/Au:N/ use-after-free bug that can be caused by a malicious
               C:N/I:N/   USB device in the drivers/usb/class/cdc-acm.c driver,
               A:C        aka CID-c52873e5a1ef.
               4.7 AV:L/  In the Linux kernel before 5.2.10, there is a race
               AC:M/Au:N/ condition bug that can be caused by a malicious USB
CVE-2019-19537 C:N/I:N/   device in the USB character device driver layer, aka
               A:C        CID-303911cfc5b9. This affects drivers/usb/core/
                          file.c.
                          In the Linux kernel before 5.3.11, sound/core/timer.c
               7.2 AV:L/  has a use-after-free caused by erroneous code
               AC:L/Au:N/ refactoring, aka CID-e7af6307a8a5. This is related to
CVE-2019-19807 C:C/I:C/   snd_timer_open and snd_timer_close_locked. The timeri
               A:C        variable was originally intended to be for a newly
                          created timer instance, but was used for a different
                          purpose after refactoring.
               7.5 (
               CVSS:3.1/  xmlParseBalancedChunkMemoryRecover in parser.c in
CVE-2019-19956 AV:N/AC:L/ libxml2 before 2.9.10 has a memory leak related to
               PR:N/UI:N/ newDoc->oldNs.
               S:U/C:N/
               I:N/A:H )
               4.9 AV:L/  In the Linux kernel before 5.0.6, there is a NULL
CVE-2019-20054 AC:L/Au:N/ pointer dereference in drop_sysctl_table() in fs/proc
               C:N/I:N/   /proc_sysctl.c, related to put_links, aka
               A:C        CID-23da9588037e.
               5.5 (      mwifiex_tm_cmd in drivers/net/wireless/marvell/
               CVSS:3.1/  mwifiex/cfg80211.c in the Linux kernel before 5.1.6
CVE-2019-20095 AV:L/AC:L/ has some error-handling cases that did not free
               PR:L/UI:N/ allocated hostcmd memory, aka CID-003b686ace82. This
               S:U/C:N/   will cause a memory leak and denial of service.
               I:N/A:H )
               7.5 (
               CVSS:3.1/
CVE-2019-20388 AV:N/AC:L/ xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10
               PR:N/UI:N/ allows an xmlSchemaValidateStream memory leak.
               S:U/C:N/
               I:N/A:H )
               7.2 AV:L/  In the Linux kernel before 5.4.12, drivers/input/
CVE-2019-20636 AC:L/Au:N/ input.c has out-of-bounds writes via a crafted
               C:C/I:C/   keycode table, as demonstrated by input_set_keycode,
               A:C        aka CID-cb222aed03d7.
               7.5 (
               CVSS:3.1/  In Lib/tarfile.py in Python through 3.8.3, an
CVE-2019-20907 AV:N/AC:L/ attacker is able to craft a TAR archive leading to an
               PR:N/UI:N/ infinite loop when opened by tarfile.open, because
               S:U/C:N/   _proc_pax lacks header validation.
               I:N/A:H )
               5.9 (
               CVSS:3.1/  The iconv feature in the GNU C Library (aka glibc or
CVE-2019-25013 AV:N/AC:H/ libc6) through 2.32, when processing invalid
               PR:N/UI:N/ multi-byte input sequences in the EUC-KR encoding,
               S:U/C:N/   may have a buffer over-read.
               I:N/A:H )
               7.5 AV:N/
CVE-2019-5482  AC:L/Au:N/ Heap buffer overflow in the TFTP protocol handler in
               C:P/I:P/   cURL 7.19.4 to 7.65.3.
               A:P
               8.8 (      A buffer overflow issue was addressed with improved
               CVSS:3.1/  memory handling. This issue is fixed in macOS Mojave
CVE-2019-8675  AV:N/AC:L/ 10.14.6, Security Update 2019-004 High Sierra,
               PR:L/UI:N/ Security Update 2019-004 Sierra. An attacker in a
               S:U/C:H/   privileged network position may be able to execute
               I:H/A:H )  arbitrary code.
               8.8 (      A buffer overflow issue was addressed with improved
               CVSS:3.1/  memory handling. This issue is fixed in macOS Mojave
CVE-2019-8696  AV:N/AC:L/ 10.14.6, Security Update 2019-004 High Sierra,
               PR:L/UI:N/ Security Update 2019-004 Sierra. An attacker in a
               S:U/C:H/   privileged network position may be able to execute
               I:H/A:H )  arbitrary code.
               8.2 (
               CVSS:3.1/  Perl before 5.30.3 on 32-bit platforms allows a
CVE-2020-10543 AV:N/AC:L/ heap-based buffer overflow because nested regular
               PR:N/UI:N/ expression quantifiers have an integer overflow.
               S:U/C:N/
               I:L/A:H )
               8.6 (      Perl before 5.30.3 has an integer overflow related to
               CVSS:3.1/  mishandling of a "PL_regkind[OP(n)] == NOTHING"
CVE-2020-10878 AV:N/AC:L/ situation. A crafted regular expression could lead to
               PR:N/UI:N/ malformed bytecode with a possibility of instruction
               S:U/C:L/   injection.
               I:L/A:H )
               7.5 (
               CVSS:3.1/  In filter.c in slapd in OpenLDAP before 2.4.50, LDAP
CVE-2020-12243 AV:N/AC:L/ search filters with nested boolean expressions can
               PR:N/UI:N/ result in denial of service (daemon crash).
               S:U/C:N/
               I:N/A:H )
               8.8 (
               CVSS:3.1/  Improper buffer restriction in some Intel(R) Wireless
CVE-2020-12321 AV:A/AC:L/ Bluetooth(R) products before version 21.110 may allow
               PR:N/UI:N/ an unauthenticated user to potentially enable
               S:U/C:H/   escalation of privilege via adjacent access.
               I:H/A:H )
               8.8 (
               CVSS:3.1/  Improper input validation in BlueZ may allow an
CVE-2020-12351 AV:A/AC:L/ unauthenticated user to potentially enable escalation
               PR:N/UI:N/ of privilege via adjacent access.
               S:U/C:H/
               I:H/A:H )
               7.5 (
               CVSS:3.1/  regcomp.c in Perl before 5.30.3 allows a buffer
CVE-2020-12723 AV:N/AC:L/ overflow via a crafted regular expression because of
               PR:N/UI:N/ recursive S_study_chunk calls.
               S:U/C:N/
               I:N/A:H )
               5.8 AV:N/  libcroco through 0.6.13 has excessive recursion in
CVE-2020-12825 AC:M/Au:N/ cr_parser_parse_any_core in cr-parser.c, leading to
               C:N/I:P/   stack consumption.
               A:P
                          An out-of-bounds memory write flaw was found in how
               8.1 (      the Linux kernel's Voice Over IP H.323 connection
               CVSS:3.1/  tracking functionality handled connections on ipv6
CVE-2020-14305 AV:N/AC:H/ port 1720. This flaw allows an unauthenticated remote
               PR:N/UI:N/ user to crash the system, causing a denial of
               S:U/C:H/   service. The highest threat from this vulnerability
               I:H/A:H )  is to confidentiality, integrity, as well as system
                          availability.
                          A flaw was found in the Linux kernel's implementation
                          of the invert video code on VGA consoles when a local
               6.6 (      attacker attempts to resize the console, calling an
               CVSS:3.1/  ioctl VT_RESIZE, which causes an out-of-bounds write
CVE-2020-14331 AV:P/AC:L/ to occur. This flaw allows a local user with access
               PR:L/UI:N/ to the VGA console to crash the system, potentially
               S:U/C:H/   escalating their privileges on the system. The
               I:H/A:H )  highest threat from this vulnerability is to data
                          confidentiality and integrity as well as system
                          availability.
                          A flaw was found in grub2 in versions prior to 2.06,
                          where it incorrectly enables the usage of the ACPI
                          command when Secure Boot is enabled. This flaw allows
               7.5 (      an attacker with privileged access to craft a
               CVSS:3.1/  Secondary System Description Table (SSDT) containing
CVE-2020-14372 AV:L/AC:H/ code to overwrite the Linux kernel lockdown variable
               PR:H/UI:N/ content directly into memory. The table is further
               S:C/C:H/   loaded and executed by the kernel, defeating its
               I:H/A:H )  Secure Boot lockdown and allowing the attacker to
                          load unsigned code. The highest threat from this
                          vulnerability is to data confidentiality and
                          integrity, as well as system availability.
                          A flaw was found in the Linux kernel before 5.9-rc4.
               5.5 (      A failure of the file system metadata validator in
               CVSS:3.1/  XFS can cause an inode with a valid, user-creatable
CVE-2020-14385 AV:L/AC:L/ extended attribute to be flagged as corrupt. This can
               PR:L/UI:N/ lead to the filesystem being shutdown, or otherwise
               S:U/C:N/   rendered inaccessible until it is remounted, leading
               I:N/A:H )  to a denial of service. The highest threat from this
                          vulnerability is to system availability.
               10.0 (     An elevation of privilege vulnerability exists when
               CVSS:3.1/  an attacker establishes a vulnerable Netlogon secure
CVE-2020-1472  AV:N/AC:L/ channel connection to a domain controller, using the
               PR:N/UI:N/ Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon
               S:C/C:H/   Elevation of Privilege Vulnerability'.
               I:H/A:H )
               7.2 AV:L/  Net-SNMP through 5.7.3 has Improper Privilege
CVE-2020-15862 AC:L/Au:N/ Management because SNMP WRITE access to the EXTEND
               C:C/I:C/   MIB provides the ability to run arbitrary commands as
               A:C        root.
                          A flaw was found in grub2 in versions prior to 2.06.
               8.2 (      The rmmod implementation allows the unloading of a
               CVSS:3.1/  module used as a dependency without checking if any
               AV:L/AC:L/ other dependent module is still loaded leading to a
CVE-2020-25632 PR:H/UI:N/ use-after-free scenario. This could allow arbitrary
               S:C/C:H/   code to be executed or a bypass of Secure Boot
               I:H/A:H )  protections. The highest threat from this
                          vulnerability is to data confidentiality and
                          integrity as well as system availability.
                          A flaw was found in the HDLC_PPP module of the Linux
               7.2 (      kernel in versions before 5.9-rc7. Memory corruption
               CVSS:3.1/  and a read overflow is caused by improper input
CVE-2020-25643 AV:N/AC:L/ validation in the ppp_cp_parse_cr function which can
               PR:H/UI:N/ cause the system to crash or cause a denial of
               S:U/C:H/   service. The highest threat from this vulnerability
               I:H/A:H )  is to data confidentiality and integrity as well as
                          system availability.
                          A flaw was found in grub2 in versions prior to 2.06.
                          During USB device initialization, descriptors are
               7.6 (      read with very little bounds checking and assumes the
               CVSS:3.1/  USB device is providing sane values. If properly
CVE-2020-25647 AV:P/AC:L/ exploited, an attacker could trigger memory
               PR:N/UI:N/ corruption leading to arbitrary code execution
               S:C/C:H/   allowing a bypass of the Secure Boot mechanism. The
               I:H/A:H )  highest threat from this vulnerability is to data
                          confidentiality and integrity as well as system
                          availability.
                          A flaw in ICMP packets in the Linux kernel may allow
                          an attacker to quickly scan open UDP ports. This flaw
                          allows an off-path remote attacker to effectively
                          bypass source port UDP randomization. Software that
               7.4 (      relies on UDP source port randomization are
               CVSS:3.1/  indirectly affected as well on the Linux Based
               AV:N/AC:H/ Products (RUGGEDCOM RM1224: All versions between v5.0
CVE-2020-25705 PR:N/UI:N/ and v6.4, SCALANCE M-800: All versions between v5.0
               S:U/C:H/   and v6.4, SCALANCE S615: All versions between v5.0
               I:H/A:N )  and v6.4, SCALANCE SC-600: All versions prior to
                          v2.1.3, SCALANCE W1750D: v8.3.0.1, v8.6.0, and
                          v8.7.0, SIMATIC Cloud Connect 7: All versions,
                          SIMATIC MV500 Family: All versions, SIMATIC NET CP
                          1243-1 (incl. SIPLUS variants): Versions 3.1.39 and
                          later, SIMATIC NET CP 1243-7 LTE EU: Version
                          A flaw was found in grub2 in versions prior to 2.06.
                          Variable names present are expanded in the supplied
                          command line into their corresponding variable
               6.7 (      contents, using a 1kB stack buffer for temporary
               CVSS:3.1/  storage, without sufficient bounds checking. If the
               AV:L/AC:L/ function is called with a command line that
CVE-2020-27749 PR:H/UI:N/ references a variable with a sufficiently large
               S:U/C:H/   payload, it is possible to overflow the stack buffer,
               I:H/A:H )  corrupt the stack frame and control execution which
                          could also circumvent Secure Boot protections. The
                          highest threat from this vulnerability is to data
                          confidentiality and integrity as well as system
                          availability.
                          A flaw was found in grub2 in versions prior to 2.06.
               7.5 (      The cutmem command does not honor secure boot locking
               CVSS:3.1/  allowing an privileged attacker to remove address
CVE-2020-27779 AV:L/AC:H/ ranges from memory creating an opportunity to
               PR:H/UI:N/ circumvent SecureBoot protections after proper triage
               S:C/C:H/   about grub's memory layout. The highest threat from
               I:H/A:H )  this vulnerability is to data confidentiality and
                          integrity as well as system availability.
                          In drivers/target/target_core_xcopy.c in the Linux
                          kernel before 5.10.7, insufficient identifier
               8.1 (      checking in the LIO SCSI target code can be used by
               CVSS:3.1/  remote attackers to read or write files via directory
CVE-2020-28374 AV:N/AC:L/ traversal in an XCOPY request, aka CID-2896c93811e3.
               PR:L/UI:N/ For example, an attack can occur over a network if
               S:U/C:H/   the attacker has access to one iSCSI LUN. The
               I:H/A:N )  attacker gains control over file access because I/O
                          operations are proxied via an attacker-selected
                          backstore.
                          sysdeps/i386/ldbl2mpn.c in the GNU C Library (aka
                          glibc or libc6) before 2.23 on x86 targets has a
                          stack-based buffer overflow if the input to any of
               7.5 (      the printf family of functions is an 80-bit long
               CVSS:3.1/  double with a non-canonical bit pattern, as seen when
               AV:N/AC:L/ passing a \x00\x04\x00\x00\x00\x00\x00\x00\x00\x04
CVE-2020-29573 PR:N/UI:N/ value to sprintf. NOTE: the issue does not affect
               S:U/C:N/   glibc by default in 2016 or later (i.e., 2.23 or
               I:N/A:H )  later) because of commits made in 2015 for inlining
                          of C99 math functions through use of GCC built-ins.
                          In other words, the reference to 2.23 is intentional
                          despite the mention of "Fixed for glibc 2.33" in the
                          26649 reference.
               7.8 (
               CVSS:3.1/  A locking issue was discovered in the tty subsystem
CVE-2020-29661 AV:L/AC:L/ of the Linux kernel through 5.9.13. drivers/tty/
               PR:L/UI:N/ tty_jobctrl.c allows a use-after-free attack against
               S:U/C:H/   TIOCSPGRP, aka CID-54ffccbf053b.
               I:H/A:H )
               7.5 (
               CVSS:3.1/  xmlStringLenDecodeEntities in parser.c in libxml2
CVE-2020-7595  AV:N/AC:L/ 2.9.10 has an infinite loop in a certain end-of-file
               PR:N/UI:N/ situation.
               S:U/C:N/
               I:N/A:H )
                          BIND servers are vulnerable if they are running an
                          affected version and are configured to use GSS-TSIG
                          features. In a configuration which uses BIND's
                          default settings the vulnerable code path is not
                          exposed, but a server can be rendered vulnerable by
                          explicitly setting valid values for the
                          tkey-gssapi-keytab or
               8.1 (      tkey-gssapi-credentialconfiguration options. Although
               CVSS:3.1/  the default configuration is not vulnerable, GSS-TSIG
               AV:N/AC:H/ is frequently used in networks where BIND is
CVE-2020-8625  PR:N/UI:N/ integrated with Samba, as well as in mixed-server
               S:U/C:H/   environments that combine BIND servers with Active
               I:H/A:H )  Directory domain controllers. The most likely outcome
                          of a successful exploitation of the vulnerability is
                          a crash of the named process. However, remote code
                          execution, while unproven, is theoretically possible.
                          Affects: BIND 9.5.0 -> 9.11.27, 9.12.0 -> 9.16.11,
                          and versions BIND 9.11.3-S1 -> 9.11.27-S1 and
                          9.16.8-S1 -> 9.16.11-S1 of BIND Supported Preview
                          Edition. Also release versions 9.17.0 -> 9.17.1 of
                          the BIND 9.17 development branch
               6.7 (      A flaw was found in grub2 in versions prior to 2.06.
               CVSS:3.1/  The option parser allows an attacker to write past
               AV:L/AC:L/ the end of a heap-allocated buffer by calling certain
CVE-2021-20225 PR:H/UI:N/ commands with a large number of specific short forms
               S:U/C:H/   of options. The highest threat from this
               I:H/A:H )  vulnerability is to data confidentiality and
                          integrity as well as system availability.
                          A flaw was found in grub2 in versions prior to 2.06.
               8.2 (      Setparam_prefix() in the menu rendering code performs
               CVSS:3.1/  a length calculation on the assumption that
               AV:L/AC:L/ expressing a quoted single quote will require 3
CVE-2021-20233 PR:H/UI:N/ characters, while it actually requires 4 characters
               S:C/C:H/   which allows an attacker to corrupt memory by one
               I:H/A:H )  byte for each quote in the input. The highest threat
                          from this vulnerability is to data confidentiality
                          and integrity as well as system availability.
               5.5 (      A flaw was found in the way memory resources were
               CVSS:3.1/  freed in the unix_stream_recvmsg function in the
CVE-2021-20265 AV:L/AC:L/ Linux kernel when a signal was pending. This flaw
               PR:L/UI:N/ allows an unprivileged local user to crash the system
               S:U/C:N/   by exhausting available memory. The highest threat
               I:N/A:H )  from this vulnerability is to system availability.
                          A flaw was found in Nettle in versions before 3.7.2,
                          where several Nettle signature verification functions
               8.1 (      (GOST DSA, EDDSA & ECDSA) result in the Elliptic
               CVSS:3.1/  Curve Cryptography point (ECC) multiply function
CVE-2021-20305 AV:N/AC:H/ being called with out-of-range scalers, possibly
               PR:N/UI:N/ resulting in incorrect results. This flaw allows an
               S:U/C:H/   attacker to force an invalid signature, causing an
               I:H/A:H )  assertion failure or possible validation. The highest
                          threat to this vulnerability is to confidentiality,
                          integrity, as well as system availability.
               7.8 (      Sudo before 1.9.5p2 contains an off-by-one error that
               CVSS:3.1/  can result in a heap-based buffer overflow, which
CVE-2021-3156  AV:L/AC:L/ allows privilege escalation to root via "sudoedit -s"
               PR:L/UI:N/ and a command-line argument that ends with a single
               S:U/C:H/   backslash character.
               I:H/A:H )

Security issues not resolved include:

     CVE          CVSS                           Summary
                           In libssh2 v1.9.0 and earlier versions, the
                           SSH_MSG_DISCONNECT logic in packet.c has an integer
               5.8 AV:N/   overflow in a bounds check, enabling an attacker to
CVE-2019-17498 AC:M/Au:N/  specify an arbitrary (out-of-bounds) offset for a
               C:P/I:N/A:P subsequent memory read. A crafted SSH server may be
                           able to disclose sensitive information or cause a
                           denial of service condition on the client system
                           when a user connects to the server.
               3.3 (       On the x86-64 architecture, the GNU C Library (aka
               CVSS:3.1/   glibc) before 2.31 fails to ignore the
               AV:L/AC:L/  LD_PREFER_MAP_32BIT_EXEC environment variable during
CVE-2019-19126 PR:L/UI:N/  program execution after a security transition,
               S:U/C:L/I:N allowing local attackers to restrict the possible
               /A:N )      mapping addresses for loaded libraries and thus
                           bypass ASLR for a setuid program.
                           In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0
                           -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of
                           the BIND 9 Supported Preview Edition, An attacker on
                           the network path for a TSIG-signed request, or
                           operating the server receiving the TSIG-signed
               4.0 AV:N/   request, could send a truncated response to that
CVE-2020-8622  AC:L/Au:S/  request, triggering an assertion failure, causing
               C:N/I:N/A:P the server to exit. Alternately, an off-path
                           attacker would have to correctly guess when a
                           TSIG-signed request was sent, along with other
                           characteristics of the packet and message, and spoof
                           a truncated response to trigger an assertion
                           failure, causing the server to exit.
               5.5 ( 
               CVSS:3.1/   Improper isolation of shared resources in some Intel
CVE-2020-8698  AV:L/AC:L/  (R) Processors may allow an authenticated user to
               PR:L/UI:N/  potentially enable information disclosure via local
               S:U/C:H/I:N access.
               /A:N )
               6.7 ( 
               CVSS:3.1/   Use-after-free vulnerability in fs/block_dev.c in
CVE-2020-15436 AV:L/AC:L/  the Linux kernel before 5.8 allows local users to
               PR:H/UI:N/  gain privileges or cause a denial of service by
               S:U/C:H/I:H leveraging improper access to a certain error field.
               /A:H )

Solution:

For the resolved CVEs the following software releases have been updated to
resolve these specific issues: 20.3R1, and all subsequent releases.

For the unresolved CVEs Juniper Networks will not be resolving these issues.

Customers should contact their account managers for guidance on migration to
other platforms.

These issues are being tracked as 1597018 .

Workaround:

There are no viable workarounds for these issues.

To reduce the risk of exploitation utilize common security BCPs to limit the
exploitable surface by limiting access to the network and device to trusted
systems, administrators, networks and hosts. Further protections can be gained
by limiting shell access to only trusted system administrators and employing
jump boxes on networks that have no Internet access.

Modification History:
2021-08-02: Initial Publication.

CVSS Score:
6.7 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYQjF6+NLKJtyKPYoAQj8rg/+Nza9kt1sLM0ZlnHE9fNpv+sudmOYdRD+
6ePC2Erj5kpMqPYcwB9IOThIpw0CIysLvLnBwJgrdBZ4aj+eFttRxfOpH29uB7jD
z7RwGUKsUdZRb6PRMgYfpaCuzpM2iPkBlv17DTJsImsvCggmuVSN79BzQOwcYumJ
XAATCDkSXVRmrexDxyaYQ0z/a2vIRG2Q1n1YBhAAB7GOWtX2l0o04odjOaovGhnO
WgMxf/tLE9hXLk9z2sc+qrKbidm3SWHbYSm0Y6BkPzLK2uqOMpuWZvQ/Wyd9KVBa
iY+wIUDJaz4yxrW5d66nzxzmso26XAWsCwHStyGlw8eJ8GrwLyuBN49rZLfb9fXZ
y5BFrwO2BM0GYfz7AEAzuNrGes4XKZy7k0UbuXcEP+Gs0QwA9LojheYsp2UB2qM3
3KAIZcO3ee2AsAEsLbB8gxhY+w4EqDTUGXY7F+M2I5u9umkT2HrdR1G6/1QCz9C1
6e6B4feS07kq/mAn0NUEvfDLjlddulcyqU2akbir7G+2FdJjiC4lZjV4mmGkCO0/
YXM7t3+ExExsHny5MiC5gdk3/7PuGL5xCBHd2V2trXMBS7syTqoSUsEH83BPe7+6
RdDONNkT7PaHMzYlVyk0XUN1KpOhJvOwRqzAvMtLxfsheNLbh8NxfS7uaUZi0WIn
uiTpN+Nupug=
=VH0p
-----END PGP SIGNATURE-----