copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0102 - [Appliance] Junos OS: Denial of service - Remote/unauthenticated

Date: 14 January 2016

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0102
       Security Bulletins: Junos: Denial of Service Vulnerabilities
                              14 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos OS
Publisher:         Juniper Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1258 CVE-2016-1257 CVE-2016-1256

Original Bulletin: 
   http://kb.juniper.net/index?page=content&id=JSA10714
   http://kb.juniper.net/index?page=content&id=JSA10715
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10720

Comment: This bulletin contains three (3) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2016-01: Security Bulletin: Junos: Multicast denial of service related to 
IGMPv3 (CVE-2016-1256)

Categories:

Junos

Router Products

J-series

M-series

T-series

MX-series

Switch Products

EX Series

SRX Series

QFX Series

Security Advisories ID: JSA10714

Last Updated: 12 Jan 2016

Version: 1.0

Product Affected:

This issue can affect any product or platform running Junos OS with IGMPv3 
enabled

Problem:

Receipt of a crafted IGMPv3 protocol message can create a denial of service to
a portion of a multicast network. This issue only affects IGMPv3. IGMPv2 is 
unaffected by this vulnerability.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1256.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R10, 12.3X48-D20, 
13.2R8, 13.2X51-D40, 13.3R7, 14.1R5, 14.1X53-D18, 14.1X53-D30, 14.1X55-D25, 
14.2R4, 15.1R2, 15.1X49-D10, and all subsequent releases.

This issue is being tracked as PR 1079503 and is visible on the Customer 
Support website.

Workaround:

Disabling IGMPv3, falling back to IGMPv2, will mitigate this issue, but may 
result in reduced functionality (e.g. PIM source-specific multicast requires 
IGMPv3).

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-01-13: Initial publication

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2016-1256: Multicast denial of service related to IGMPv3

CVSS Score:

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- -----------------------------------------------------------------------------

2016-01 Security Bulletin: Junos: RPD crash in processing LDP packets 
(CVE-2016-1257)

Categories:

Junos

Router Products

J-series

M-series

T-series

MX-series

Switch Products

EX Series

SRX Series

QFX Series

Security Advisories ID: JSA10715

Last Updated: 13 Jan 2016

Version: 2.0

Product Affected:

This issue can affect any product or platform running a Junos OS release 
listed below with LDP enabled

Problem:

If LDP is enabled via the 'protocols ldp' configuration option on a device 
running Junos OS, receipt of a crafted LDP packet may cause the RPD routing 
process to crash and restart. The interface on which the packet arrives does 
not need to have LDP enabled. As long as one interface to the peer has LDP 
enabled, the packet will be sent to Routing Engine for further processing, 
exposing the router to a denial of service (RPD crash).

This issue is a regression defect introduced in JUNOS 13.2R5, 13.3R1, 14.1R1,
14.2R1, and 15.1 releases. Junos versions prior to 13.2R5 are not affected by
this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
However, the issue has been seen in a production network due to LDP packets 
originating from a different vendor's device.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1257.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 13.3R7-S3, 13.3R8, 14.1R3-S9, 14.1R4-S7, 14.1R6, 14.1X51-D65,
14.1X53-D12, 14.1X53-D28, 14.1X53-D35, 14.2R3-S4, 14.2R4-S1, 14.2R5, 
15.1F2-S2, 15.1F3, 15.1R3, 15.1X49-D40* and all subsequent releases.

This issue is being tracked as PR 1096835 and is visible on the Customer 
Support website.

*15.1X49-D40 will be available later in Q1/2016

Workaround:

Disable LDP if it is not required, or use access lists or firewall filters to
limit access to the device via LDP only from trusted networks or hosts.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-01-13: Initial publication.

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2016-1257: RPD crash in processing LDP packets

CVSS Score:

5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

- ---------------------------------------------------------------------------

2016-01 Security Bulletin: Junos: J-Web denial of service due to vulnerability
in Embedthis Appweb Server (CVE-2016-1258)

Categories:

Junos

Router Products

Switch Products

JWEB Mgmt Tool

SIRT Advisory

Security Advisories ID: JSA10720

Last Updated: 13 Jan 2016

Version: 3.0

Product Affected:

These issues can affect any product or platform running Junos OS with J-Web 
enabled.

Problem:

A denial of service vulnerability in Embedthis Appweb Server while processing
certain malformed HTTP requests may allow a remote unauthenticated user to 
crash the J-Web service.

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2016-1258

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X44-D60, 12.1X46-D45 (pending release), 12.1X47-D30, 
12.3R10, 12.3R11, 12.3X48-D20, 13.2X51-D20, 13.3R8, 14.1R6, 14.2R5 and all 
subsequent releases.

This issue is being tracked as PR 925108 and is visible on the Customer 
Support website.

Workaround:

Disable J-Web, or limit access to only trusted hosts.

Implementation:

How to obtain fixed software: Security vulnerabilities in Junos are fixed in 
the next available Maintenance Release of each supported Junos version. In 
some cases, a Maintenance Release is not planned to be available in an 
appropriate time-frame. For these cases, Service Releases are made available 
in order to be more timely. Security Advisory and Security Notices will 
indicate which Maintenance and Service Releases contain fixes for the issues 
described. Upon request to JTAC, customers will be provided download 
instructions for a Service Release. Although Juniper does not provide formal 
Release Note documentation for a Service Release, a list of "PRs fixed" can be
provided on request.

Modification History:

2016-01-13: Initial publication.

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

CVE-2016-1258 Junos OS: J-Web denial of service vulnerability

CVSS Score:

5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Risk Level:

Medium

Risk Assessment:

A network based unauthenticated attacker can cause the J-Web service on a 
device to become unavailable.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVpb56H6ZAP0PgtI9AQKWFhAAhiaj7xl/8z3BxgNrShCJrvU0fgqA70KN
E4Isl14ksCZpr0yvM2DaqNNoUrcw7BRluYvrLyYrstDgL/xQwTh1qBvJh7whUSBX
9UNBj0r1A6Ve1L7jTBlhFJDx1uiryP1rzRH61g+t0kMkyeezFiJdRl4O2P7FwZ+x
AEjsSuiGkSTLBopGoK0fi16fQqQkYUfFu2oImJWbSBljenFMA5c3vAq+BPdXvFlQ
2+0jWiUXAqi/VaMFFem9v5+eHcGgIKTQj88bvri+ztEEk77iqPq88wXiYrk5oVC7
1rV0Xl5kn8dM+oqJ5/AUIwRFh6wYsfS8N0SCTfILXLhpKWIUL9X/hA0i7KnigMv6
aSeTmatNNibRmgcxdZPGPTBmoYigsjegSeaRW4d5w2otb2lgIjbeQ8qyg56EqC4I
9X5tQJ5prnfi8gpKT2sYK+jlLDZufKA9WAnmVkMTWQzP+0goBmSX8bKrqzmsqGT3
RxLvpou4kQnct2qMtiwyJjGG1EQn5APIUDTXxm66IeO/SPKC4/g41p1oasx3M5na
NweEJb5ltVE9jH8z1rgw49FDq6C7jBm9dhMJRTjllXSVWDw1ktqGQ52qaxCK5m7c
AA1lP/OcZERRFOchIdn1ltLb6sFuVKUWAmGJjPo8jiUrX6UzybHaS9NukVIXBPF2
07pYgjlGn5M=
=SUoU
-----END PGP SIGNATURE-----