Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0516 2014-04 Security Bulletin: Junos: Multiple vulnerabilities 16 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-2714 CVE-2014-2713 CVE-2014-2711 CVE-2014-0614 CVE-2014-0612 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10618 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10619 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10620 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10621 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10622 Comment: This bulletin contains five (5) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted IGMP packets (CVE-2014-0614) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10618 Last Updated: 09 Apr 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS 13.2 or higher. PROBLEM: Reception of a very high rate of crafted IGMP packets may cause the Junos kernel to crash. The contents of the valid IGMP packets must be specifically crafted to trigger the crash, while maintaining a transmit rate exceeding approximately 1000 packets per second. PIM must also be enabled to trigger this crash. This issue only affects devices running Junos OS 13.2 or higher. Earlier versions of Junos are unaffected by this vulnerability. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-0614. SOLUTION: The following software releases have been updated to resolve this specific issue: - - All Junos OS software releases built on or after 2014-01-16, or - - Junos OS 13.2R3, 13.3R1, and all subsequent releases (i.e. all releases built after 13.3R1). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 944135 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Two options exist to mitigate this issue. 1) If PIM is not required, disabling PIM will avoid this crash. 2) While the IGMP flood is not limited to the management interface, if fxp0 is unused, explicitly disabling the external management interface will prevent the kernel panic. [edit interfaces] + fxp0 { + disable; + } In addition to (but not a substitute for) the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router only from trusted, administrative networks or hosts. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-0614: Kernel panic processing high rate of crafted IGMP packets CVSS SCORE: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - ------------------------------------------------------------------------------ 2014-04 Security Bulletin: Junos: Persistent Cross Site Scripting vulnerability in J-Web (CVE-2014-2711) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10619 Last Updated: 09 Apr 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS. PROBLEM: A persistent cross site scripting vulnerability in J-Web may allow a remote unauthenticated user to inject web script or HTML and steal sensitive data and credentials from a J-Web session and to perform administrative actions on the Junos device. An attacker can inject web script or HTML even when J-Web is disabled, but the vulnerability can only be exploited when J-Web is used to monitor the system. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-2711. SOLUTION: The following software releases have been updated to resolve this specific issue: - - All Junos OS software releases built on or after 2014-03-20, or - - Junos OS 11.4R11, 11.4X27.62 (BBE), 12.1R9, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.2R7, 12.3R6, 13.1R4, 13.2R3, 13.3R1, and all subsequent releases (i.e. all releases built after 13.3R1). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 940744 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Avoid using J-Web to monitor the system. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-2711: Persistent Cross Site Scripting vulnerability in J-Web CVSS SCORE: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) RISK LEVEL: Critical RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: Juniper SIRT would like to acknowledge and thank Chuck McAuley for responsibly reporting this vulnerability. - ------------------------------------------------------------------------------ 2014-04 Security Bulletin: Junos: Branch SRX Series vulnerable to denial of service for new Dynamic VPN connections (CVE-2014-0612) Categories: Junos SRX Series SRX210 SRX240 SRX650 SRX100 SRX110 SRX220 SRX550 SIRT Advisory Security Advisories ID: JSA10620 Last Updated: 09 Apr 2014 Version: 2.0 PRODUCT AFFECTED: This issue can affect all SRX Branch Series services gateways: SRX 100, SRX 110, SRX 210, SRX 220, SRX 240, SRX 550, and SRX 650. PROBLEM: On Branch SRX Series service gateways, when Dynamic IPsec VPN is configured, a remote unauthenticated user may cause a denial of service condition where new Dynamic VPN connections may fail for other users. This issue may also lead to high CPU consumption and disk usage which may cause other complications. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-0612. SOLUTION: The following software releases have been updated to resolve this specific issue: - - All Junos OS software releases built on or after 2014-02-19, or - - Junos OS 11.4R10-S1, 11.4R11, 12.1X44-D26, 12.1X44-D30, 12.1X45-D20, 12.1X46-D10, and all subsequent releases (i.e. all releases built after 12.1X46-D10). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 934366 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Other than disabling Dynamic IPsec VPN, no viable workaround is known to exist for this issue. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-0612: Branch SRX Series vulnerable to denial of service for new Dynamic VPN connections CVSS SCORE: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - ------------------------------------------------------------------------------ 2014-04 Security Bulletin: Junos: Crafted IP packet can trigger PFE reboot on MX Series and T4000 (CVE-2014-2713) Categories: Junos MX-series SIRT Advisory Security Advisories ID: JSA10621 Last Updated: 10 Apr 2014 Version: 3.0 PRODUCT AFFECTED: This issue can affect all MX Series and T4000 routers using either Trio or Cassis-based PFEs. PROBLEM: 2014-04-10 Update: Added T4000 and Type 5 FPCs (T4000-FPC5-3D) to advisory. A crafted IP packet destined to an MX Series or T4000 router utilizing Trio or Cassis-based PFE (Packet Forwarding Engine) modules can cause the PFE to reboot. Affected modules include MPC1, MPC2, MPC3, and MPC4, integrated MPCs (CHAS-MX*), as well as Type 5 FPCs on the T4000. For a complete list of Trio and Cassis-based PFE modules, refer to KB25385. Customers can display the various components in use via the 'show chassis hardware' command. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-2713. SOLUTION: The following software releases have been updated to resolve this specific issue: - - All Junos OS software releases built on or after 2014-03-20, or - - Junos OS 11.4R11, 12.1R9, 12.2R7, 12.3R4-S3, 12.3R5, 13.1R4, 13.2R2, and 13.3R1, and all subsequent releases (i.e. all releases built after 13.3R1). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 904887 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: No known workaround exists for this issue. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB25385: A mapping between chipset type and PFE module KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-2713: Crafted IP packet can trigger PFE reboot on MX Series and T4000 CVSS SCORE: CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - ------------------------------------------------------------------------------ 2014-04 Security Bulletin: Junos: SRX Series Enhanced Web Filtering flowd crash while parsing URL (CVE-2014-2714) Categories: Junos SRX Series SIRT Advisory Security Advisories ID: JSA10622 Last Updated: 09 Apr 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect all SRX Series services gateways PROBLEM: An issue has been found on SRX Series services gateways when Enhanced Web Filtering (EWF) is enabled. A certain type of URL can cause the flow daemon (flowd) process to crash and restart. Repeated crashes of the flowd process can represent a sustained denial of service condition for SRX Series devices. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-2714. SOLUTION: The following software releases have been updated to resolve this specific issue: - - All Junos OS software releases built on or after 2013-12-17, or - - Junos OS 10.4R15, 11.4R9, 12.1R7, 12.1X44-D20, 12.1X45-D10, 12.1X46-D10, and all subsequent releases (i.e. all releases built after 12.1X46-D10). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 877830 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Disable the use of Enhanced Web Filtering if it is not needed. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-2714: SRX Series Enhanced Web Filtering flowd crash while parsing URL CVSS SCORE: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU032JBLndAQH1ShLAQImsg//cJ+l+lCRkHcGTWCCYQLAVwW9TagMb/W1 T70LVd/2iHkzRwrbMNZn8EhCAAqqAIqC1JWthUXatnCmoKJ0lMe6QdFwqIrnWBjZ lXrCyuWR26Y7HQZ/cHCr52IipL5P3+cny9mo+tSYiqU0EjJMbdQGYdC7QWyhC+FB 6oz2j9yW6W0hYmcDjp4px6EZYZcauysDCuk3s/xI1pJh29sDixqCHNHMQmWt9Ip7 ZKiVvo17usMEqLWzkVQVAVFqd84uT78CQIhWBqNU/HL5LOnVhmsJK9jkgX8i5W1y gOsLblWt/kWTfZZ0qy530llKyaFNlxEIH9QfJkvueoFzFdh+jIuiEKuilLTdGsTu 601Ec9RnAmEWXHSBLwKxIIlCncQsu2iGeYiHP6pHG2hUdk/iRFu+Phl1tZ5FsRpK XZH8WaWfJI/6PbtZmFoLUh97joLxWZcKOnpxnMfwWiLGCTmnNehmnXWhC1vvr46t 3RSa6bd/lvcm/Ig+Bmm870tB+ZQ0YaG7tj98onOW7rXiwT714Qplb+pbm34MtCO8 iPLGExc7vQSTNt2PZ6+IGnNIZ7LApHKe2o8Q1EPx0k3RQigWcKen2w30fJ2BWnkZ EC8ypj3lmU7ybk+zdvOpWojAsmjIaZ6qcFh5bFwL4xEigmE9+snuo53zSuLK+l4i dXzc3NEa2tw= =o+dB -----END PGP SIGNATURE-----