copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0103 - [Appliance] Juniper SRX-Series and J-Series: Denial of service - Remote/unauthenticated

Date: 14 January 2016

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0103
        Security Bulletin: Juniper SRX-Series and J-Series: Denial
                        of Service Vulnerabilities
                              14 January 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper SRX-Series
                   Juniper J-Series
Publisher:         Juniper Networks
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1262 CVE-2015-5477 

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10718
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10720

Comment: This bulletin contains two (2) Juniper Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2016-01 Security Bulletin: Junos: Vulnerability in ISC BIND named 
(CVE-2015-5477)

Categories:

Junos

J-series

J2350

SRX Series

SRX5600

SRX5800

SRX210

SRX240

SRX650

SRX100

Security Advisories ID: JSA10718

Last Updated: 13 Jan 2016

Version: 2.0

Product Affected:

This issue can affect any SRX-Series and J-Series configured with DNS Proxy 
server services enabled.

Problem:

A vulnerability in ISC BIND's handling of queries for TKEY records may allow 
remote attackers to terminate the daemon process on an assertion failure.

Juniper SIRT is not aware of any malicious exploitation of this issue on Junos
devices. The Juniper SIRT is aware of publicly available PoC exploits.

This issue affects only SRX-Series and J-Series configured with DNS Proxy 
server services enabled. This issue can affect both standalone and HA 
configurations.

This issue has been assigned CVE-2015-5477.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X46-D45, 12.1X47-D30, 12.3R11, 
12.3R12, 12.3X48-D20, 12.3X50-D50, 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 
14.1R6, 14.1R7, 14.1X53-D30, 14.2R5, 15.1F3, 15.1R2, 15.1R3, 15.1X49-D30, 
15.1X53-D20, 15.2R1 and all subsequent releases.

Note: To proactively mitigate this issue in the future, should DNS Server 
features be introduced into other Junos OS platforms and products, this issue
is fixed in the other stated platforms other than the ones listed as 
vulnerable under this JSA. This BIND issue does affect, but these versions are
not vulnerable to this issue, as enabling the DNS Server feature does not 
exists on these platforms. Should SRX-Series and J-Series releases assume 
R-releases in the future, these versions are fixed moving forward in these 
release trains as well.

This issue is being tracked as PR 1108761 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

DNS proxy can be disabled; the following example set statements show if the 
service is enabled:

set dns dns-proxy interface ge-0/0/1.0

set dns dns-proxy default-domain * forwarders 172.17.28.100

You may view the status of DNS proxy via the command:

show system services dns dns-proxy

Firewall filters limiting receipt of DNS queries on TCP and UDP port 53 can be
implemented for different hosted groups of DNS servers; external DNS servers 
should be separate from internal DNS servers. External DNS servers should only
accept DNS queries from internal DNS servers and reject externally facing DNS
queries if using BIND.

A layered approach utilizing non-BIND based DNS servers may be taken as well;
non-BIND servers can be deployed for externally hosted domains, and servers 
using BIND can be deployed internally.

In addition to the recommendations listed above, it is a good security 
practice to limit the exploitable attack surface of critical infrastructure 
networking equipment. Use access lists or firewall filters to limit access to
the devices only from trusted, administrative networks or hosts.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-01-13: Initial publication

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

ISC BIND What is a BIND Assertion Failure?

ISC BIND About CVE-2015-5477

CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Risk Level: Medium

- ---------------------------------------------------------------------------

2016-01: Security Bulletin: Junos: SRX-Series denial of service vulnerability
in flowd due to crafted RTSP packets (CVE-2016-1262)

Categories:

Junos

SRX Series

SRX5600

SRX5800

SRX210

SRX240

SRX650

SRX100

SRX3400

SRX3600

Security Advisories ID: JSA10721

Last Updated: 13 Jan 2016

Version: 3.0

Product Affected:

This issue can affect any SRX-Series devices running Junos OS prior to 
12.1X46-D45, 12.1X47-D30, 12.3X48-D20, 15.1X49-D30 in either standalone or HA
mode.

Problem:

On all SRX-Series devices, when the RTSP ALG (Real Time Streaming Protocol 
Application Layer Gateway) is enabled, a certain crafted RTSP packet might 
cause the flowd process to crash, halting or interrupting traffic from flowing
through the device(s).

Repeated crashes of the flowd process may constitute an extended denial of 
service condition for the device(s).

If the device is configured in high-availability, the RG1+ (data-plane) will 
fail-over to the secondary node.

If the device is configured in stand-alone, there will be temporary traffic 
interruption until the flowd process is restored automatically.

Sustained crafted packets may cause the secondary failover node to fail back,
or fail completely, potentially halting flowd on both nodes of the cluster or
causing flip-flop failovers to occur.

Example output "show system core-dumps" will show core file such as:

/var/tmp/flowd_xlr-SPC*_PIC*.core.0.gz (in high-end SRX)

/var/tmp/flowd_octeon_hm.core-tarball.0.tgz (in Branch SRX)

RTSP ALG is enabled by default on branch SRX platforms and disabled by default
on high-end SRX platforms.

The status of ALGs can be obtained by executing the 'show security alg status'
CLI command.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1262.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D45 (pending release), 12.1X47-D30, 12.3X48-D20, 
15.1X49-D30 and all subsequent releases.

This issue is being tracked as PR 1116559 and is visible on the Customer 
Support website.

Workaround:

Disable RTSP ALG services on the device(s).

Implementation:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-01-13: Initial publication

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Security Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team

SRX-Series denial of service vulnerability in flowd due to crafted RTSP 
packets

CVSS Score:

7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level:

High

Risk Assessment:

A network based attacker can cause a denial of service condition.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVpb6mn6ZAP0PgtI9AQKb+A/+MDPmmuEc7xVD/KQAiEtRV0ENBQqohQYu
mbQyb/s+ZqToOo7jfCMPia7aa3FlL0cSraz39PL61iNIiETrZ2FMTbNG0OQwuye8
EOexkH26uXok/p+vNoSnsK52FpbPs3Zqsb0PQkEEC80FRAalqZVMRIH7Ym/uu5ii
fjSMyotljCy7atKnPrfo1qtmzyo+ajQOx+SOnxtr/cXm+2ZFxVF0FV04/dA9k130
Sk2KWxwkR3UtnuC+aghD8lP7vz4sp9t6jWRWIENY/T6Y3sF3r2IVIhJYSBTV5mW8
si9KR/XHWdhQKdHlY9A+jbWovWASx3itZP5me8pKuOgjONWMjDOKEczFCvBM4o27
M9QF0mPPMeXWybOGdDFT9ztSuZD57BHlGcytCrBG5qWvm7yTFZdLn2YQ16Z2kb0R
sYmqyLdkXTqksuudwI47vERxlo7FQv3COBfeJsSXUDZDRz/7MGdg7Ur53TBXzCFB
Rbi5F4mOl0pRA+YXnAeFjdVPrvRd0QhjZb8yWAyG5F/nSOU19nftZr9OfE4unh0c
ik30PNVnwq7dia4giJY75DdYwTU7vaaVvFX/I623y3vBTZmn8KsM9AU0t8R7OX7w
nUt3IkvZgKEaZiDy6sLzV0YLs20sM/Cb9V+dkau3F2r7MVjaBC50s83XfOTSxvjn
1FPKXhGqQqQ=
=ixeN
-----END PGP SIGNATURE-----