Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0516
2014-04 Security Bulletin: Junos: Multiple vulnerabilities
16 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-2714 CVE-2014-2713 CVE-2014-2711
CVE-2014-0614 CVE-2014-0612
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10618
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10619
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10620
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10621
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10622
Comment: This bulletin contains five (5) Juniper Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2014-04 Security Bulletin: Junos: Kernel panic processing high rate of crafted
IGMP packets (CVE-2014-0614)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10618
Last Updated: 09 Apr 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS 13.2 or higher.
PROBLEM:
Reception of a very high rate of crafted IGMP packets may cause the Junos
kernel to crash. The contents of the valid IGMP packets must be specifically
crafted to trigger the crash, while maintaining a transmit rate exceeding
approximately 1000 packets per second. PIM must also be enabled to trigger
this crash.
This issue only affects devices running Junos OS 13.2 or higher. Earlier
versions of Junos are unaffected by this vulnerability.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-0614.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
- - All Junos OS software releases built on or after 2014-01-16, or
- - Junos OS 13.2R3, 13.3R1, and all subsequent releases (i.e. all releases
built after 13.3R1).
Customers can confirm the build date of any Junos OS release by issuing the
command 'show version detail'.
This issue is being tracked as PR 944135 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Two options exist to mitigate this issue.
1) If PIM is not required, disabling PIM will avoid this crash.
2) While the IGMP flood is not limited to the management interface, if fxp0 is
unused, explicitly disabling the external management interface will prevent
the kernel panic.
[edit interfaces]
+ fxp0 {
+ disable;
+ }
In addition to (but not a substitute for) the recommendations listed above, it
is good security practice to limit the exploitable attack surface of critical
infrastructure networking equipment. Use access lists or firewall filters to
limit access to the router only from trusted, administrative networks or
hosts.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-0614: Kernel panic processing high rate of crafted IGMP packets
CVSS SCORE:
7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
ACKNOWLEDGEMENTS:
- ------------------------------------------------------------------------------
2014-04 Security Bulletin: Junos: Persistent Cross Site Scripting
vulnerability in J-Web (CVE-2014-2711)
Categories:
Junos
Router Products
Security Products
Switch Products
SIRT Advisory
Security Advisories ID: JSA10619
Last Updated: 09 Apr 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect any product or platform running Junos OS.
PROBLEM:
A persistent cross site scripting vulnerability in J-Web may allow a remote
unauthenticated user to inject web script or HTML and steal sensitive data and
credentials from a J-Web session and to perform administrative actions on the
Junos device.
An attacker can inject web script or HTML even when J-Web is disabled, but the
vulnerability can only be exploited when J-Web is used to monitor the system.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-2711.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
- - All Junos OS software releases built on or after 2014-03-20, or
- - Junos OS 11.4R11, 11.4X27.62 (BBE), 12.1R9, 12.1X44-D35, 12.1X45-D25,
12.1X46-D20, 12.2R7, 12.3R6, 13.1R4, 13.2R3, 13.3R1, and all subsequent
releases (i.e. all releases built after 13.3R1).
Customers can confirm the build date of any Junos OS release by issuing the
command 'show version detail'.
This issue is being tracked as PR 940744 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Avoid using J-Web to monitor the system.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-2711: Persistent Cross Site Scripting vulnerability in J-Web
CVSS SCORE:
9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
RISK LEVEL:
Critical
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
ACKNOWLEDGEMENTS:
Juniper SIRT would like to acknowledge and thank Chuck McAuley for responsibly
reporting this vulnerability.
- ------------------------------------------------------------------------------
2014-04 Security Bulletin: Junos: Branch SRX Series vulnerable to denial of
service for new Dynamic VPN connections (CVE-2014-0612)
Categories:
Junos
SRX Series
SRX210
SRX240
SRX650
SRX100
SRX110
SRX220
SRX550
SIRT Advisory
Security Advisories ID: JSA10620
Last Updated: 09 Apr 2014
Version: 2.0
PRODUCT AFFECTED:
This issue can affect all SRX Branch Series services gateways: SRX 100, SRX
110, SRX 210, SRX 220, SRX 240, SRX 550, and SRX 650.
PROBLEM:
On Branch SRX Series service gateways, when Dynamic IPsec VPN is configured,
a remote unauthenticated user may cause a denial of service condition where
new Dynamic VPN connections may fail for other users. This issue may also
lead to high CPU consumption and disk usage which may cause other
complications.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-0612.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
- - All Junos OS software releases built on or after 2014-02-19, or
- - Junos OS 11.4R10-S1, 11.4R11, 12.1X44-D26, 12.1X44-D30, 12.1X45-D20,
12.1X46-D10, and all subsequent releases (i.e. all releases built after
12.1X46-D10).
Customers can confirm the build date of any Junos OS release by issuing the
command 'show version detail'.
This issue is being tracked as PR 934366 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Other than disabling Dynamic IPsec VPN, no viable workaround is known to exist
for this issue.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-0612: Branch SRX Series vulnerable to denial of service for new
Dynamic VPN connections
CVSS SCORE:
5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
RISK LEVEL:
Medium
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
ACKNOWLEDGEMENTS:
- ------------------------------------------------------------------------------
2014-04 Security Bulletin: Junos: Crafted IP packet can trigger PFE reboot on
MX Series and T4000 (CVE-2014-2713)
Categories:
Junos
MX-series
SIRT Advisory
Security Advisories ID: JSA10621
Last Updated: 10 Apr 2014
Version: 3.0
PRODUCT AFFECTED:
This issue can affect all MX Series and T4000 routers using either Trio or
Cassis-based PFEs.
PROBLEM:
2014-04-10 Update: Added T4000 and Type 5 FPCs (T4000-FPC5-3D) to advisory.
A crafted IP packet destined to an MX Series or T4000 router utilizing Trio
or Cassis-based PFE (Packet Forwarding Engine) modules can cause the PFE to
reboot. Affected modules include MPC1, MPC2, MPC3, and MPC4, integrated MPCs
(CHAS-MX*), as well as Type 5 FPCs on the T4000. For a complete list of Trio
and Cassis-based PFE modules, refer to KB25385.
Customers can display the various components in use via the 'show chassis
hardware' command.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-2713.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
- - All Junos OS software releases built on or after 2014-03-20, or
- - Junos OS 11.4R11, 12.1R9, 12.2R7, 12.3R4-S3, 12.3R5, 13.1R4, 13.2R2, and
13.3R1, and all subsequent releases (i.e. all releases built after 13.3R1).
Customers can confirm the build date of any Junos OS release by issuing the
command 'show version detail'.
This issue is being tracked as PR 904887 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
No known workaround exists for this issue.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
RELATED LINKS:
KB25385: A mapping between chipset type and PFE module
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-2713: Crafted IP packet can trigger PFE reboot on MX Series and T4000
CVSS SCORE:
CVSS Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
RISK LEVEL:
Medium
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
ACKNOWLEDGEMENTS:
- ------------------------------------------------------------------------------
2014-04 Security Bulletin: Junos: SRX Series Enhanced Web Filtering flowd
crash while parsing URL (CVE-2014-2714)
Categories:
Junos
SRX Series
SIRT Advisory
Security Advisories ID: JSA10622
Last Updated: 09 Apr 2014
Version: 1.0
PRODUCT AFFECTED:
This issue can affect all SRX Series services gateways
PROBLEM:
An issue has been found on SRX Series services gateways when Enhanced Web
Filtering (EWF) is enabled. A certain type of URL can cause the flow daemon
(flowd) process to crash and restart. Repeated crashes of the flowd process
can represent a sustained denial of service condition for SRX Series devices.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue has been assigned CVE-2014-2714.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
- - All Junos OS software releases built on or after 2013-12-17, or
- - Junos OS 10.4R15, 11.4R9, 12.1R7, 12.1X44-D20, 12.1X45-D10, 12.1X46-D10,
and all subsequent releases (i.e. all releases built after 12.1X46-D10).
Customers can confirm the build date of any Junos OS release by issuing the
command 'show version detail'.
This issue is being tracked as PR 877830 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
WORKAROUND:
Disable the use of Enhanced Web Filtering if it is not needed.
IMPLEMENTATION:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2014-2714: SRX Series Enhanced Web Filtering flowd crash while parsing URL
CVSS SCORE:
7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
RISK LEVEL:
High
RISK ASSESSMENT:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
ACKNOWLEDGEMENTS:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU032JBLndAQH1ShLAQImsg//cJ+l+lCRkHcGTWCCYQLAVwW9TagMb/W1
T70LVd/2iHkzRwrbMNZn8EhCAAqqAIqC1JWthUXatnCmoKJ0lMe6QdFwqIrnWBjZ
lXrCyuWR26Y7HQZ/cHCr52IipL5P3+cny9mo+tSYiqU0EjJMbdQGYdC7QWyhC+FB
6oz2j9yW6W0hYmcDjp4px6EZYZcauysDCuk3s/xI1pJh29sDixqCHNHMQmWt9Ip7
ZKiVvo17usMEqLWzkVQVAVFqd84uT78CQIhWBqNU/HL5LOnVhmsJK9jkgX8i5W1y
gOsLblWt/kWTfZZ0qy530llKyaFNlxEIH9QfJkvueoFzFdh+jIuiEKuilLTdGsTu
601Ec9RnAmEWXHSBLwKxIIlCncQsu2iGeYiHP6pHG2hUdk/iRFu+Phl1tZ5FsRpK
XZH8WaWfJI/6PbtZmFoLUh97joLxWZcKOnpxnMfwWiLGCTmnNehmnXWhC1vvr46t
3RSa6bd/lvcm/Ig+Bmm870tB+ZQ0YaG7tj98onOW7rXiwT714Qplb+pbm34MtCO8
iPLGExc7vQSTNt2PZ6+IGnNIZ7LApHKe2o8Q1EPx0k3RQigWcKen2w30fJ2BWnkZ
EC8ypj3lmU7ybk+zdvOpWojAsmjIaZ6qcFh5bFwL4xEigmE9+snuo53zSuLK+l4i
dXzc3NEa2tw=
=o+dB
-----END PGP SIGNATURE-----