copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1150 - [Juniper] Juniper Junos: Multiple vulnerabilities

Date: 11 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1150
      Multiple vulnerabilities have been identified in Juniper Junos
                               11 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise      -- Existing Account            
                   Denial of Service    -- Remote/Unauthenticated      
                   Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-3822 CVE-2014-3821 CVE-2014-3819
                   CVE-2014-3817 CVE-2014-3816 CVE-2014-3815

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10633
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10634
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10635
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10637
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10640
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10641

Comment: This bulletin contains six (6) Juniper Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2014-07 Security Bulletin: Junos: Denial of Service vulnerability in flowd
related to SIP ALG (CVE-2014-3815)

Security Advisories ID:		JSA10633
Last Updated:		    	09 Jul 2014
Version:			1.0

Product Affected:
This issue affects SRX Series devices running Junos OS 12.1X46 prior
to 12.1X46-D20

Problem:
On SRX Series devices, when SIP ALG is enabled, a certain crafted SIP
packet may cause the flowd process to crash. Repeated crashes of the flowd
process constitutes an extended denial of service condition for the SRX
Series device. SIP ALG is enabled by default on SRX Series devices except
for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The
status of ALGs can be obtained by executing the 'show security alg status'
CLI command.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3815.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X46-D20, 12.1X47-D10, and all subsequent releases
(i.e. all releases built after 12.1X47-D10).

This issue is being tracked as PR 964817 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
Two available workarounds exist for this issue:

    Disable SIP ALG using the CLI command 'set security alg sip disable'
    if SIP ALG is not required
    Enable flow-based processing for IPv6 traffic using the CLI command
    'set security forwarding-options family inet6 mode flow-based' command
    (a device reboot is required)

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3815: Denial of Service vulnerability in flowd related to
    SIP ALG

CVSS Score:
CVSS Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------
2014-07 Security Bulletin: Junos: Multiple privilege escalation
vulnerabilities in Junos CLI (CVE-2014-3816)

Security Advisories ID:		JSA10634
Last Updated:		   	09 Jul 2014
Version:			1.0

Product Affected:
This issue can affect any product or platform running Junos OS.

Problem:
Certain combinations of Junos OS CLI commands and arguments have been found
to be exploitable in a way that can allow root access to the operating
system. This may allow any user with permissions to run these CLI commands
the ability to achieve elevated privileges and gain complete control of
the device.

These issues were found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.

No other Juniper Networks products or platforms are affected by these issues.

This set of issues has been assigned CVE-2014-3816.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R12, 12.1R11, 12.1X44-D35, 12.1X45-D30, 12.1X46-D20,
12.1X47-D10, 12.2R8-S2, 12.3R7, 13.1R4-S2, 13.2R5, 13.3R2-S2, 14.1R1,
and all subsequent releases (i.e. all releases built after 14.1R1).

These issues are being tracked as PRs 969408, 969365, 966808, 965762,
965758, 964860, 962834, 961449, 961397, and 928128, and are visible on
the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
Use access lists or firewall filters to limit access to the router's CLI
only from trusted hosts. Restrict access to the CLI to only highly trusted
administrators.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3816: Multiple privilege escalation vulnerabilities in Junos CLI

CVSS Score:
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:
- -------------------------------------------------------------------------------
2014-07 Security Bulletin: Junos: SRX flowd denial of service vulnerability
in NAT protocol translation (CVE-2014-3817)

Security Advisories ID:		JSA10635
Last Updated:		   	09 Jul 2014
Version:			1.0

Product Affected:
This issue affects all SRX Series devices running Junos OS 11.4, 12.1X44,
12.1X45, or 12.1X46

Problem:
On SRX Series devices, when NAT protocol translation from IPv4 to IPv6
is enabled, a certain crafted packet may cause the flowd process to hang
or crash. A hang or repeated crash of the flowd process constitutes an
extended denial of service condition for SRX Series devices.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3817.

Solution:
The following software releases have been updated to resolve this specific
issue: 11.4R12, 12.1X44-D32, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20,
12.1X47-D10, and all subsequent releases (i.e. all releases built after
12.1X47-D10).

This issue is being tracked as PR 954437 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
If NAT protocol translation from IPv4 to IPv6 is not required, disabling
the feature will completely mitigate this issue.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3817: SRX flowd denial of service vulnerability related to NAT

CVSS Score:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:
- -------------------------------------------------------------------------------
2014-07 Security Bulletin: Junos: rpd core upon receipt of invalid PIM
packet (CVE-2014-3819)

Security Advisories ID:		JSA10637
Last Updated:		    09 Jul 2014
Version:			1.0

Product Affected:
This issue can affect any product or platform running Junos OS with PIM
enabled and Auto-RP configured.

Problem:
Receipt of a malformed PIM packet may cause the RPD routing process to
crash and restart. All PIM routers that are configured to use Auto-RP for
automatic distribution of group-to-RP mappings are impacted. If Auto-RP
is not used in the network, there is no impact.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3819.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R12, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20,
12.1X47-D10, 12.2R8, 12.3R7, 13.1R4, 13.2R4, 13.3R2, 14.1R1, and all
subsequent releases (i.e. all releases built after 14.1R1).

This issue is being tracked as PR 947395 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
No known workaround exists for this issue.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3819: rpd core upon receipt of invalid PIM packet

CVSS Score:
7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:
- -------------------------------------------------------------------------------
2014-07 Security Bulletin: Junos: XSS vulnerability in web authentication
(webauth) (CVE-2014-3821)

Security Advisories ID:		JSA10640
Last Updated:			10 Jul 2014
Version:			4.0

Product Affected:
This issue affects SRX Series devices running Junos OS 11.4, 12.1X44,
12.1X45, 12.1X46.

Problem:
A reflected cross site scripting (XSS) vulnerability in SRX Web
Authentication (webauth) may allow the stealing of sensitive information
or session credentials from firewall users. This issue affects the device
only when Web Authentication is used for firewall user authentication.

SRX Series devices where Web Authentication is used for firewall user
authentication will have a configuration similar to:

user@SRX# show
unit 0 {
    family inet {
	address 192.168.3.1/24;
	address 192.168.3.2/24 {
	    web-authentication http;
	}
    }
}

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This issue does not affect the WebAuth feature on ScreenOS devices.

This issue has been assigned CVE-2014-3821.

Solution:
The following Junos OS software releases have been updated to resolve
this specific issue: 11.4R11, 12.1X44-D34, 12.1X44-D35, 12.1X45-D25,
12.1X46-D20, 12.1X47-D10, and all subsequent releases (i.e. all releases
built after 12.1X47-D10).

This issue is being tracked as PR 907664 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
This issue can be mitigated through the use of Pass-Through Authentication,
rather than Web Authentication, as an alternative form of firewall user
authentication.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3821: XSS vulnerability in web authentication (webauth)

CVSS Score:
4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Risk Level:
Low

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------
2014-07 Security Bulletin: Junos: Malformed packet can cause SRX denial
of service when translating traffic from IPv6 to IPv4 (CVE-2014-3822)

Security Advisories ID:		JSA10641
Last Updated:		    	09 Jul 2014
Version:			1.0

Product Affected:
This issue can affect any SRX Series devices running Junos 11.4, 12.1,
12.1X44, 12.1X45, 12.1X46.

Problem:
A denial of service (DoS) issue has been discovered in Juniper SRX Series
products that can be exploited by remote unauthenticated attackers. This
issue takes place when a certain malformed packet is translated from IPv6
to IPv4. When this malformed packet is sent to a vulnerable SRX Series
device, the flowd process may crash. The issue can be repeatedly exploited
to create an extended denial of service condition.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3822.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R8, 12.1R5, 12.1X44-D20, 12.1X45-D15, 12.1X46-D10,
12.1X47-D10, and all subsequent releases (i.e. all releases built after
12.1X47-D10).

This issue is being tracked as PR 747680 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
If NAT protocol translation from IPv6 to IPv4 is not required, disabling
the feature will completely mitigate this issue.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2014-3822: Malformed packet can cause SRX denial of service when
    translating traffic from IPv6 to IPv4

CVSS Score:
5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU78+UBLndAQH1ShLAQKkGw//RofTtY1oMCZF2FVW5l6sJNWGZ+yWs8Ia
qLYopGemAQRbHfBNkOxUpYdEgo4SeTrEBcDQxY7UOVSctNNGXhSIbH7J/5tF/Hn6
izyv92L5emNmLofaIFCwYnMlLRhLp/EAlk3SgfM0a1CjsAh0l64pfCjfBaB8z/2m
2C4GTx+aRCwN5+qrMTlpJVXq0gLroXEHfGX1ZUt4ryc3bAOxQVnubEwylVd04qqB
0iuvSXLRnrLV1R9955GK4UVPmjp9zUpvlPA6o//dNrnGvnKHuOIADk4fGNI08wod
T0wBMWV0CmfQkQYwOCqQo0sqFUDcJwA6XJwgdLlotccJ+32duiBg/h7EvmsQfMCE
MG3MhTcDaw++n7snmVmOwPhtT++NYMpRHNjsl+sd+FLdg+XtZzbCn5IB6FniJA2p
dOov9lkYKc8wT7jOPYPLE4/AFubV8hotP+mLOB0H80hzeuwI73YZDGltZ4rG+Bqn
e208AJlRcRvWz+RqX0ZUdPjBLkwb6xzbR+ZvqpwKf4Dnh1ifrECUro6QOpf7wGLp
JMttm+MEGGF77/gFiejUvRjnrz+WRowYc1OJu4DCjdZGoVuteuUtWz7t3m44bBlr
k7w2o9c/5OjBf7FgerzvSAJ/QSSiln4LvkcVCtH6XtkhtMuefjmZsi3g9Iad9hzD
EF6+Oj/uh6c=
=VLEz
-----END PGP SIGNATURE-----