copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0516 - [Juniper] Junos: Multiple vulnerabilities

Date: 16 April 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0516
        2014-04 Security Bulletin: Junos: Multiple vulnerabilities
                               16 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service    -- Remote/Unauthenticated      
                   Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-2714 CVE-2014-2713 CVE-2014-2711
                   CVE-2014-0614 CVE-2014-0612 

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10618
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10619
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10620
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10621
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10622

Comment: This bulletin contains five (5) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted 
IGMP packets (CVE-2014-0614)

Categories:

Junos
Router Products
Security Products
Switch Products
SIRT Advisory

Security Advisories ID:	JSA10618
Last Updated:		09 Apr 2014
Version:		1.0

PRODUCT AFFECTED:

This issue can affect any product or platform running Junos OS 13.2 or higher.

PROBLEM:

Reception of a very high rate of crafted IGMP packets may cause the Junos 
kernel to crash. The contents of the valid IGMP packets must be specifically 
crafted to trigger the crash, while maintaining a transmit rate exceeding 
approximately 1000 packets per second. PIM must also be enabled to trigger 
this crash.

This issue only affects devices running Junos OS 13.2 or higher. Earlier 
versions of Junos are unaffected by this vulnerability.

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-0614.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:
- - All Junos OS software releases built on or after 2014-01-16, or
- - Junos OS 13.2R3, 13.3R1, and all subsequent releases (i.e. all releases 
built after 13.3R1).

Customers can confirm the build date of any Junos OS release by issuing the 
command 'show version detail'.

This issue is being tracked as PR 944135 and is visible on the Customer 
Support website.


KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Two options exist to mitigate this issue.

1) If PIM is not required, disabling PIM will avoid this crash.

2) While the IGMP flood is not limited to the management interface, if fxp0 is 
unused, explicitly disabling the external management interface will prevent 
the kernel panic.

[edit interfaces]
+   fxp0 {
+       disable;
+   }

In addition to (but not a substitute for) the recommendations listed above, it 
is good security practice to limit the exploitable attack surface of critical 
infrastructure networking equipment. Use access lists or firewall filters to 
limit access to the router only from trusted, administrative networks or 
hosts.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance 
Release of each supported Junos version. In some cases, a Maintenance Release 
is not planned to be available in an appropriate time-frame. For these cases, 
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

RELATED LINKS: 

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident 
Response Team
CVE-2014-0614: Kernel panic processing high rate of crafted IGMP packets

CVSS SCORE:

7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

- ------------------------------------------------------------------------------

2014-04 Security Bulletin: Junos: Persistent Cross Site Scripting 
vulnerability in J-Web (CVE-2014-2711)

Categories:	

Junos
Router Products
Security Products
Switch Products
SIRT Advisory

Security Advisories ID:	JSA10619
Last Updated:		09 Apr 2014
Version:		1.0

PRODUCT AFFECTED:

This issue can affect any product or platform running Junos OS.

PROBLEM:

A persistent cross site scripting vulnerability in J-Web may allow a remote 
unauthenticated user to inject web script or HTML and steal sensitive data and 
credentials from a J-Web session and to perform administrative actions on the 
Junos device.

An attacker can inject web script or HTML even when J-Web is disabled, but the 
vulnerability can only be exploited when J-Web is used to monitor the system.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2711.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:
- - All Junos OS software releases built on or after 2014-03-20, or
- - Junos OS 11.4R11, 11.4X27.62 (BBE), 12.1R9, 12.1X44-D35, 12.1X45-D25, 
12.1X46-D20, 12.2R7, 12.3R6, 13.1R4, 13.2R3, 13.3R1, and all subsequent 
releases (i.e. all releases built after 13.3R1).

Customers can confirm the build date of any Junos OS release by issuing the 
command 'show version detail'.

This issue is being tracked as PR 940744 and is visible on the Customer 
Support website.


KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Avoid using J-Web to monitor the system.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance 
Release of each supported Junos version. In some cases, a Maintenance Release 
is not planned to be available in an appropriate time-frame. For these cases, 
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

RELATED LINKS: 

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident 
Response Team
CVE-2014-2711: Persistent Cross Site Scripting vulnerability in J-Web

CVSS SCORE:

9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

RISK LEVEL:

Critical

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

Juniper SIRT would like to acknowledge and thank Chuck McAuley for responsibly 
reporting this vulnerability.

- ------------------------------------------------------------------------------

2014-04 Security Bulletin: Junos: Branch SRX Series vulnerable to denial of 
service for new Dynamic VPN connections (CVE-2014-0612)

Categories:	

Junos
SRX Series
SRX210
SRX240
SRX650
SRX100
SRX110
SRX220
SRX550
SIRT Advisory

Security Advisories ID:	JSA10620
Last Updated:		09 Apr 2014
Version:		2.0

PRODUCT AFFECTED:

This issue can affect all SRX Branch Series services gateways: SRX 100, SRX 
110, SRX 210, SRX 220, SRX 240, SRX 550, and SRX 650.

PROBLEM:

On Branch SRX Series service gateways, when Dynamic IPsec VPN is configured, 
a remote unauthenticated user may cause a denial of service condition where 
new Dynamic VPN connections may fail for other users. This issue may also 
lead to high CPU consumption and disk usage which may cause other 
complications.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-0612.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:
- - All Junos OS software releases built on or after 2014-02-19, or
- - Junos OS 11.4R10-S1, 11.4R11, 12.1X44-D26, 12.1X44-D30, 12.1X45-D20, 
12.1X46-D10, and all subsequent releases (i.e. all releases built after 
12.1X46-D10).

Customers can confirm the build date of any Junos OS release by issuing the 
command 'show version detail'.

This issue is being tracked as PR 934366 and is visible on the Customer 
Support website.


KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Other than disabling Dynamic IPsec VPN, no viable workaround is known to exist 
for this issue.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance 
Release of each supported Junos version. In some cases, a Maintenance Release 
is not planned to be available in an appropriate time-frame. For these cases, 
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

RELATED LINKS: 

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident 
Response Team
CVE-2014-0612: Branch SRX Series vulnerable to denial of service for new 
Dynamic VPN connections

CVSS SCORE:

5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

- ------------------------------------------------------------------------------

2014-04 Security Bulletin: Junos: Crafted IP packet can trigger PFE reboot on 
MX Series and T4000 (CVE-2014-2713)

Categories:	

Junos
MX-series
SIRT Advisory

Security Advisories ID:	JSA10621
Last Updated:		10 Apr 2014
Version:		3.0

PRODUCT AFFECTED:

This issue can affect all MX Series and T4000 routers using either Trio or 
Cassis-based PFEs.

PROBLEM:

2014-04-10 Update: Added T4000 and Type 5 FPCs (T4000-FPC5-3D) to advisory.

A crafted IP packet destined to an MX Series or T4000 router utilizing Trio 
or Cassis-based PFE (Packet Forwarding Engine) modules can cause the PFE to 
reboot. Affected modules include MPC1, MPC2, MPC3, and MPC4, integrated MPCs 
(CHAS-MX*), as well as Type 5 FPCs on the T4000. For a complete list of Trio 
and Cassis-based PFE modules, refer to KB25385.

Customers can display the various components in use via the 'show chassis 
hardware' command.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2713.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:
- - All Junos OS software releases built on or after 2014-03-20, or
- - Junos OS 11.4R11, 12.1R9, 12.2R7, 12.3R4-S3, 12.3R5, 13.1R4, 13.2R2, and 
13.3R1, and all subsequent releases (i.e. all releases built after 13.3R1).

Customers can confirm the build date of any Junos OS release by issuing the 
command 'show version detail'.

This issue is being tracked as PR 904887 and is visible on the Customer 
Support website.


KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

No known workaround exists for this issue.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance 
Release of each supported Junos version. In some cases, a Maintenance Release 
is not planned to be available in an appropriate time-frame. For these cases, 
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

RELATED LINKS: 

KB25385: A mapping between chipset type and PFE module
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident 
Response Team
CVE-2014-2713: Crafted IP packet can trigger PFE reboot on MX Series and T4000

CVSS SCORE:

CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

RISK LEVEL:

Medium

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

- ------------------------------------------------------------------------------

2014-04 Security Bulletin: Junos: SRX Series Enhanced Web Filtering flowd 
crash while parsing URL (CVE-2014-2714)

Categories:
	
Junos
SRX Series
SIRT Advisory

Security Advisories ID:	JSA10622
Last Updated:		09 Apr 2014
Version:		1.0

PRODUCT AFFECTED:

This issue can affect all SRX Series services gateways

PROBLEM:

An issue has been found on SRX Series services gateways when Enhanced Web 
Filtering (EWF) is enabled. A certain type of URL can cause the flow daemon 
(flowd) process to crash and restart. Repeated crashes of the flowd process 
can represent a sustained denial of service condition for SRX Series devices.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2714.

SOLUTION:

The following software releases have been updated to resolve this specific 
issue:
- - All Junos OS software releases built on or after 2013-12-17, or
- - Junos OS 10.4R15, 11.4R9, 12.1R7, 12.1X44-D20, 12.1X45-D10, 12.1X46-D10, 
and all subsequent releases (i.e. all releases built after 12.1X46-D10).

Customers can confirm the build date of any Junos OS release by issuing the 
command 'show version detail'.

This issue is being tracked as PR 877830 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

WORKAROUND:

Disable the use of Enhanced Web Filtering if it is not needed.

IMPLEMENTATION:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance 
Release of each supported Junos version. In some cases, a Maintenance Release 
is not planned to be available in an appropriate time-frame. For these cases, 
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request

RELATED LINKS: 

KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident 
Response Team
CVE-2014-2714: SRX Series Enhanced Web Filtering flowd crash while parsing URL

CVSS SCORE:

7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

RISK LEVEL:

High

RISK ASSESSMENT:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

ACKNOWLEDGEMENTS:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU032JBLndAQH1ShLAQImsg//cJ+l+lCRkHcGTWCCYQLAVwW9TagMb/W1
T70LVd/2iHkzRwrbMNZn8EhCAAqqAIqC1JWthUXatnCmoKJ0lMe6QdFwqIrnWBjZ
lXrCyuWR26Y7HQZ/cHCr52IipL5P3+cny9mo+tSYiqU0EjJMbdQGYdC7QWyhC+FB
6oz2j9yW6W0hYmcDjp4px6EZYZcauysDCuk3s/xI1pJh29sDixqCHNHMQmWt9Ip7
ZKiVvo17usMEqLWzkVQVAVFqd84uT78CQIhWBqNU/HL5LOnVhmsJK9jkgX8i5W1y
gOsLblWt/kWTfZZ0qy530llKyaFNlxEIH9QfJkvueoFzFdh+jIuiEKuilLTdGsTu
601Ec9RnAmEWXHSBLwKxIIlCncQsu2iGeYiHP6pHG2hUdk/iRFu+Phl1tZ5FsRpK
XZH8WaWfJI/6PbtZmFoLUh97joLxWZcKOnpxnMfwWiLGCTmnNehmnXWhC1vvr46t
3RSa6bd/lvcm/Ig+Bmm870tB+ZQ0YaG7tj98onOW7rXiwT714Qplb+pbm34MtCO8
iPLGExc7vQSTNt2PZ6+IGnNIZ7LApHKe2o8Q1EPx0k3RQigWcKen2w30fJ2BWnkZ
EC8ypj3lmU7ybk+zdvOpWojAsmjIaZ6qcFh5bFwL4xEigmE9+snuo53zSuLK+l4i
dXzc3NEa2tw=
=o+dB
-----END PGP SIGNATURE-----