Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1150 Multiple vulnerabilities have been identified in Juniper Junos 11 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-3822 CVE-2014-3821 CVE-2014-3819 CVE-2014-3817 CVE-2014-3816 CVE-2014-3815 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10633 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10634 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10635 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10637 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10640 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10641 Comment: This bulletin contains six (6) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-07 Security Bulletin: Junos: Denial of Service vulnerability in flowd related to SIP ALG (CVE-2014-3815) Security Advisories ID: JSA10633 Last Updated: 09 Jul 2014 Version: 1.0 Product Affected: This issue affects SRX Series devices running Junos OS 12.1X46 prior to 12.1X46-D20 Problem: On SRX Series devices, when SIP ALG is enabled, a certain crafted SIP packet may cause the flowd process to crash. Repeated crashes of the flowd process constitutes an extended denial of service condition for the SRX Series device. SIP ALG is enabled by default on SRX Series devices except for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The status of ALGs can be obtained by executing the 'show security alg status' CLI command. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3815. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D20, 12.1X47-D10, and all subsequent releases (i.e. all releases built after 12.1X47-D10). This issue is being tracked as PR 964817 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Two available workarounds exist for this issue: Disable SIP ALG using the CLI command 'set security alg sip disable' if SIP ALG is not required Enable flow-based processing for IPv6 traffic using the CLI command 'set security forwarding-options family inet6 mode flow-based' command (a device reboot is required) Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3815: Denial of Service vulnerability in flowd related to SIP ALG CVSS Score: CVSS Base Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2014-07 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2014-3816) Security Advisories ID: JSA10634 Last Updated: 09 Jul 2014 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS. Problem: Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device. These issues were found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. No other Juniper Networks products or platforms are affected by these issues. This set of issues has been assigned CVE-2014-3816. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12, 12.1R11, 12.1X44-D35, 12.1X45-D30, 12.1X46-D20, 12.1X47-D10, 12.2R8-S2, 12.3R7, 13.1R4-S2, 13.2R5, 13.3R2-S2, 14.1R1, and all subsequent releases (i.e. all releases built after 14.1R1). These issues are being tracked as PRs 969408, 969365, 966808, 965762, 965758, 964860, 962834, 961449, 961397, and 928128, and are visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3816: Multiple privilege escalation vulnerabilities in Junos CLI CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2014-07 Security Bulletin: Junos: SRX flowd denial of service vulnerability in NAT protocol translation (CVE-2014-3817) Security Advisories ID: JSA10635 Last Updated: 09 Jul 2014 Version: 1.0 Product Affected: This issue affects all SRX Series devices running Junos OS 11.4, 12.1X44, 12.1X45, or 12.1X46 Problem: On SRX Series devices, when NAT protocol translation from IPv4 to IPv6 is enabled, a certain crafted packet may cause the flowd process to hang or crash. A hang or repeated crash of the flowd process constitutes an extended denial of service condition for SRX Series devices. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3817. Solution: The following software releases have been updated to resolve this specific issue: 11.4R12, 12.1X44-D32, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, and all subsequent releases (i.e. all releases built after 12.1X47-D10). This issue is being tracked as PR 954437 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: If NAT protocol translation from IPv4 to IPv6 is not required, disabling the feature will completely mitigate this issue. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3817: SRX flowd denial of service vulnerability related to NAT CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2014-07 Security Bulletin: Junos: rpd core upon receipt of invalid PIM packet (CVE-2014-3819) Security Advisories ID: JSA10637 Last Updated: 09 Jul 2014 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS with PIM enabled and Auto-RP configured. Problem: Receipt of a malformed PIM packet may cause the RPD routing process to crash and restart. All PIM routers that are configured to use Auto-RP for automatic distribution of group-to-RP mappings are impacted. If Auto-RP is not used in the network, there is no impact. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3819. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 12.2R8, 12.3R7, 13.1R4, 13.2R4, 13.3R2, 14.1R1, and all subsequent releases (i.e. all releases built after 14.1R1). This issue is being tracked as PR 947395 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: No known workaround exists for this issue. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3819: rpd core upon receipt of invalid PIM packet CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2014-07 Security Bulletin: Junos: XSS vulnerability in web authentication (webauth) (CVE-2014-3821) Security Advisories ID: JSA10640 Last Updated: 10 Jul 2014 Version: 4.0 Product Affected: This issue affects SRX Series devices running Junos OS 11.4, 12.1X44, 12.1X45, 12.1X46. Problem: A reflected cross site scripting (XSS) vulnerability in SRX Web Authentication (webauth) may allow the stealing of sensitive information or session credentials from firewall users. This issue affects the device only when Web Authentication is used for firewall user authentication. SRX Series devices where Web Authentication is used for firewall user authentication will have a configuration similar to: user@SRX# show unit 0 { family inet { address 192.168.3.1/24; address 192.168.3.2/24 { web-authentication http; } } } Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue does not affect the WebAuth feature on ScreenOS devices. This issue has been assigned CVE-2014-3821. Solution: The following Junos OS software releases have been updated to resolve this specific issue: 11.4R11, 12.1X44-D34, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, and all subsequent releases (i.e. all releases built after 12.1X47-D10). This issue is being tracked as PR 907664 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: This issue can be mitigated through the use of Pass-Through Authentication, rather than Web Authentication, as an alternative form of firewall user authentication. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3821: XSS vulnerability in web authentication (webauth) CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Risk Level: Low Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2014-07 Security Bulletin: Junos: Malformed packet can cause SRX denial of service when translating traffic from IPv6 to IPv4 (CVE-2014-3822) Security Advisories ID: JSA10641 Last Updated: 09 Jul 2014 Version: 1.0 Product Affected: This issue can affect any SRX Series devices running Junos 11.4, 12.1, 12.1X44, 12.1X45, 12.1X46. Problem: A denial of service (DoS) issue has been discovered in Juniper SRX Series products that can be exploited by remote unauthenticated attackers. This issue takes place when a certain malformed packet is translated from IPv6 to IPv4. When this malformed packet is sent to a vulnerable SRX Series device, the flowd process may crash. The issue can be repeatedly exploited to create an extended denial of service condition. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3822. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R8, 12.1R5, 12.1X44-D20, 12.1X45-D15, 12.1X46-D10, 12.1X47-D10, and all subsequent releases (i.e. all releases built after 12.1X47-D10). This issue is being tracked as PR 747680 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: If NAT protocol translation from IPv6 to IPv4 is not required, disabling the feature will completely mitigate this issue. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3822: Malformed packet can cause SRX denial of service when translating traffic from IPv6 to IPv4 CVSS Score: 5.4 (AV:N/AC:H/Au:N/C:N/I:N/A:C) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU78+UBLndAQH1ShLAQKkGw//RofTtY1oMCZF2FVW5l6sJNWGZ+yWs8Ia qLYopGemAQRbHfBNkOxUpYdEgo4SeTrEBcDQxY7UOVSctNNGXhSIbH7J/5tF/Hn6 izyv92L5emNmLofaIFCwYnMlLRhLp/EAlk3SgfM0a1CjsAh0l64pfCjfBaB8z/2m 2C4GTx+aRCwN5+qrMTlpJVXq0gLroXEHfGX1ZUt4ryc3bAOxQVnubEwylVd04qqB 0iuvSXLRnrLV1R9955GK4UVPmjp9zUpvlPA6o//dNrnGvnKHuOIADk4fGNI08wod T0wBMWV0CmfQkQYwOCqQo0sqFUDcJwA6XJwgdLlotccJ+32duiBg/h7EvmsQfMCE MG3MhTcDaw++n7snmVmOwPhtT++NYMpRHNjsl+sd+FLdg+XtZzbCn5IB6FniJA2p dOov9lkYKc8wT7jOPYPLE4/AFubV8hotP+mLOB0H80hzeuwI73YZDGltZ4rG+Bqn e208AJlRcRvWz+RqX0ZUdPjBLkwb6xzbR+ZvqpwKf4Dnh1ifrECUro6QOpf7wGLp JMttm+MEGGF77/gFiejUvRjnrz+WRowYc1OJu4DCjdZGoVuteuUtWz7t3m44bBlr k7w2o9c/5OjBf7FgerzvSAJ/QSSiln4LvkcVCtH6XtkhtMuefjmZsi3g9Iad9hzD EF6+Oj/uh6c= =VLEz -----END PGP SIGNATURE-----