Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1800 Multiple vulnerabilities in products running Junos 9 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-6380 CVE-2014-6379 CVE-2014-6378 CVE-2014-5139 CVE-2014-3818 CVE-2014-3512 CVE-2014-3511 CVE-2014-3509 Reference: ASB-2014.0096 ESB-2014.1796 ESB-2014.1646 ESB-2014.1550 ESB-2014.1335 ESB-2014.1334 ESB-2014.1467.2 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10649 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10652 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10653 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10654 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10655 Comment: This bulletin contains five (5) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2014-10 Security Bulletin: Junos: Multiple vulnerabilities in OpenSSL (OpenSSL Security Advisory 20140806) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10649 Last Updated: 08 Oct 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS 13.3R1 or later. PROBLEM: The OpenSSL project released a security advisory on 2014-08-06 that contained nine security issues. The following four issues affect Junos: CVE-2014-5139: Crash with SRP ciphersuite in Server Hello message CVE-2014-3509: Race condition in ssl_parse_serverhello_tlsext CVE-2014-3511: OpenSSL TLS protocol downgrade attack CVE-2014-3512: SRP buffer overrun More information about each of these vulnerabilities may be found in the OpenSSL Security Advisory 20140806 under Related Links below. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 13.3R3-S2, 13.3R4, 14.1R2-S2, 14.2R1, and all subsequent releases. While only Junos OS 13.3R1 and higher versions are vulnerable to the issues announced by OpenSSL on 2014-08-06, Juniper also upgraded OpenSSL to 0.9.8zb in Junos OS 13.2 and earlier releases. Updated releases specifically include: Junos OS 11.4R12-S4, 12.1X44-D45, 12.1X46-D30, 12.1X47-D15, 12.2R9, 12.2X50-D70, 12.3R8, 12.3R9, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30, 13.2R5-S1, 13.2X50-D20, 13.2X51-D30, and 13.2X52-D20. This issue is being tracked as PR 1016458 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team OpenSSL Security Advisory 20140806 CVSS SCORE: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - ---------------------------------------------------------------------------- 2014-10 Security Bulletin: Junos: Receipt of malformed RSVP packet may lead to denial of service (CVE-2014-6378) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10652 Last Updated: 08 Oct 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS with RSVP enabled. PROBLEM: Receipt of a crafted or malformed RSVP packet may cause the rpd (routing protocol daemon) to hang or crash. When rpd is unavailable, routing updates cannot be processed which can lead to an extended network outage. This issue only occurs during processing of RSVP PATH messages. If RSVP is not enabled on an interface, then the issue cannot be triggered via that interface. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-6378. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12-S4, 12.1X44-D35, 12.1X45-D30, 12.1X46-D25, 12.1X47-D10, 12.2R9, 12.2X50-D70, 12.3R7, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30, 13.2R5, 13.2X50-D20, 13.2X51-D26, 13.2X51-D30, 13.2X52-D15, 13.3R3, 14.1R1, and all subsequent releases. This issue is being tracked via PRs 954509 and 954508 which are visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Only enable RSVP on specific trusted interfaces as required for MPLS. Use access lists or firewall filters to limit access to the router via MPLS TE RSVP only from trusted nodes. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-6378: Receipt of malformed RSVP packet may lead to denial of service CVSS SCORE: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - -------------------------------------------------------------------------- 2014-10 Security Bulletin: Junos: BGP UPDATE with crafted transitive attributes causes memory corruption and leads to RPD core (CVE-2014-3818) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10653 Last Updated: 08 Oct 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS 9.1 and later releases with BGP configured and enabled. PROBLEM: A BGP UPDATE containing a specifically crafted set of transitive attributes can cause corruption of memory ultimately leading to an RPD routing process crash and restart. The crash was only achieved through in-house routing protocol fuzz testing. This issue only affects routers supporting 4-byte AS numbers, introduced starting with Junos OS 9.1. Additionally, the router is only vulnerable if the BGP peer does not support 4-byte AS numbers. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-3818. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D40, 12.1X46-D30, 12.1X47-D11, 12.1X47-D15, 12.1X48-D41, 12.1X48-D62, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S2, 13.1X49-D49, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D25, 13.2X52-D15, 13.3R2, 14.1R1, and all subsequent releases. This issue is being tracked as PR 953037 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: No known workaround exists for this issue. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-3818: BGP UPDATE with crafted transitive attributes causes memory corruption and leads to RPD core CVSS SCORE: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - -------------------------------------------------------------------------- 2014-10 Security Bulletin: Junos: RADIUS accounting servers create additional entries in pam_radius.conf (CVE-2014-6379) Categories: Junos Router Products Security Products Switch Products RADIUS SIRT Advisory Security Advisories ID: JSA10654 Last Updated: 08 Oct 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform running Junos OS configured for RADIUS authentication and accounting. PROBLEM: In Junos, when a RADIUS authentication server is configured under [system radius-server], an entry is created in /var/etc/pam_radius.conf. An issue was discovered where RADIUS accounting servers configured under [system accounting destination radius] are also propagated to pam_radius.conf. This can cause authentication requests to be sent to the RADIUS accounting server which may allow for unintended successful authentication. If the same RADIUS server is used for both authentication and accounting a common configuration the issue is less severe since RADIUS authentication is sent to the intended server despite the duplicate entries. However, if the RADIUS authentication server is later removed from the configuration, the duplicate entry created by configuration of the RADIUS accounting server will remain in pam_radius.conf, also leading to possible unintended authentication success. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-6379. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S3, 13.1X49-D55, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D26, 13.2X51-D30, 13.2X52-D15, 13.3R2, 14.1R1, and all subsequent releases. This issue is being tracked as PR 947307 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: No viable workaround exists for this issue. Manual edits to pam_radius.conf will be overwritten when the configuration is committed. Duplicate entries will, however, be cleaned up after upgrading to a fixed release. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-6379: RADIUS accounting servers create additional entries in pam_radius.conf CVSS SCORE: 5.5 (AV:N/AC:L/Au:S/C:P/I:P/A:N) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------------------------------------------------------- 2014-10 Security Bulletin: Junos: Crafted fragmented packets can lead to FPCs resetting or going offline (CVE-2014-6380) Categories: Junos Router Products Security Products Switch Products SIRT Advisory Security Advisories ID: JSA10655 Last Updated: 08 Oct 2014 Version: 1.0 PRODUCT AFFECTED: This issue can affect any product or platform utilizing an em interface for communications, including M, T, MX, high-end SRX, EX, QFX and PTX Series. PROBLEM: Traffic between the RE and transit interfaces is carried over an internal network between the PFEs and REs. Some REs use em interfaces (usually, em0 and em1) to connect to this network. Receipt of a carefully crafted set of fragmented packets, destined to the router, can cause the em driver to become permanently blocked when trying to formulate a reply. This will cause the RE to be unable to communicate over the private network that connects the FPCs and REs eventually causing all FPCs to go offline and stay offline. Systems with redundant REs will failover, but would then be subject to the same issue. For systems without modular FPCs (for example, MX80), the FPC will reboot and clear the em0 interface output queue. However, additional crafted fragments will cause the issue to reoccur. This issue is applicable to IPv4, IPv6, and CLNP fragmentation and reassembly scenarios. Transit traffic does not trigger this issue. Additionally, CLNP is only vulnerable if clns-routing or ESIS is explicitly configured, This issue is specific to em interfaces. J Series and SRX Branch models do not have an em0 interface, and are therefore not affected by this issue. In addition, some REs (e.g. K2RE based systems) may use an em driver for their "fxp0" interface. On such REs, reply traffic sent out the fxp0 interface may trigger the same condition on that interface. Refer to the "Supported Routing Engines by Router" link below for more information about internal Ethernet interface types for specific platforms. Customers can confirm the presence of em interfaces by typing: % pciconf -l | grep em em0@pci3:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00 hdr=0x00 em1@pci4:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00 hdr=0x00 em2@pci5:0:0: class="0x020000" card=0x00901059 chip=0x10d38086 rev=0x00 hdr=0x00 This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2014-6380. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R9, 12.1X44-D30, 12.1X45-D20, 12.1X46-D15, 12.1X47-D10, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4, 13.1X49-D55, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D15, 13.2X52-D15, 13.3R1, and all subsequent releases. This issue is being tracked as PR 942437 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. WORKAROUND: Today's network infrastructure typically will not have fragmented packets destined for the router's control or management plane. In most cases, it is safe to apply packet filters which will prevent fragmented packets from arriving on the router. Usually, fragmented packets received by a router indicate a problem with the network or a DoS attack against the router. In either case, fragmented packets should be dropped to protect the router's control and management plane. Below is a sample firewall filter to demonstrate this recommendation for IPv4 traffic: [edit firewall family inet filter fragment] user@junos# show term first-frag { from { first-fragment; } then { discard; } } term next-frag { from { is-fragment; } then { discard; } } And for IPv6: [edit firewall family inet6 filter fragment6] user@junos# show term fragment-headers { from { next-header [ hop-by-hop dstopts routing fragment ah esp ]; } then { discard; } } Caution: Some routing protocols, such as BGP and OSPF, may rely upon fragmented traffic being received by the RE. In addition, proper operation of IPv6 multicast may require that the router accept some traffic with hop-by-hop headers. As with any control plane firewall filter, perform careful testing in your environment to ensure that dropping all fragmented traffic will not have a negative impact. If necessary, add explicit exceptions for fragmented BGP and/or OSPF traffic to the sample IPv4 firewall filter above, or add limited exceptions to the IPv6 firewall filter above to allow hop-by-hop headers for multicast control traffic (such as MLD). Note that some platforms most notably the EX Series do not support the 'first-fragment' filter criterion. In these cases, simply discarding all fragments via 'is-fragment' will be sufficient. Additionally, the EX-8200 does not support either criteria, in which case the only option is to upgrade. For CLNP, disabling CLNS routing and ESIS, which are disabled by default, will mitigate this issue. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team RFC6192: Protecting the Router Control Plane Junos Reference: Supported Routing Engines by Router CVE-2014-6380: Crafted fragmented packets can lead to FPCs resetting or going offline CVSS SCORE: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ACKNOWLEDGEMENTS: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVDXtSBLndAQH1ShLAQJGXBAAmT8HHrxhiNllq+MqO6XXMzs4vrYgV1Ki k0KYVAWMgKn1fHXU85YTxjwfFvoE5aEFdze8j8hC5t4mI3R+k2dAyQ74R2Dxik1S yx5lCB/YzA29M1aRXTSEaAdTrcKgU7Q2MCB40VwHNidpRNwVy4UmtCwg+VEeyOE3 ca6JMoF+66YF5YuIl+vbTlv+kM2JVXCHvC5RquM7/1fz93Kur7BbS3UGXQYU4Ah5 LgvfK6H/t8HUaNO/FKjZETPDOCt7Rra7jstKuI8QpxcKpbBLuiE1nmeZZqWGJm4A LkJfRaqzLuvS6cCmrrLx619rbYok/J4l/ZA/IdWJO6/AkL9yKd6M5tTjv7YRGl5/ cVtGBWTXzG04OIxaLA+Bv1SX3E5Xr0wmxphIAlICpk3V3TllmnTCmIbHVVDwKSQ/ Ybnjy24o/jg8dbNzeaNofiblXC+i23i5yI6txr/HAkODCUxulnzdFm37SXlgUWLh vdqjfFWYtHtN8e5S21odReJCipBoZkgoVD8B1Kz0+YYunpeYlAPfyZHIYAs+32CZ GOCVvt+eSn/A6ZQIrqE45L2w7Y9G/bkUB6aIs9nRnMu/1P34cqBM7fzzkcBTuXCv DxvrABTqKuXsxzftxOMj3esTPNkiDq3l+lsu65EnnfeW7BzePwfTXLn8XOYR6N85 tyCOf9D+TNE= =BBDd -----END PGP SIGNATURE-----