-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0107
         A number of vulnerabilities have been identified in Junos
                              15 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Increased Privileges            -- Existing Account      
                   Denial of Service               -- Remote/Unauthenticated
                   Reduced Security                -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-6386 CVE-2014-6385 CVE-2014-6384
                   CVE-2014-6383 CVE-2014-6382 CVE-2013-2877
                   CVE-2013-0338 CVE-2012-5134 CVE-2012-0841
                   CVE-2011-1944  

Reference:         ASB-2013.0083
                   ASB-2013.0057
                   ASB-2012.0164
                   ESB-2013.0994
                   ESB-2013.0136
                   ESB-2012.0201
                   ESB-2011.1208

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10665
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10666
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10667
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10668
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10669
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10670

Comment: This bulletin contains six (6) Juniper Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2015-01 Security Bulletin: Junos: jpppd core when MX Series router receives 
crafted PAP Authenticate-Request (CVE-2014-6382)

Product Affected:

This issue can affect any MX Series broadband edge router running Junos OS 
13.3R3 or later.

Problem:

Using PPP authentication with a specifically crafted PAP Authenticate-Request
may cause the Juniper PPP daemon (jpppd) to crash and restart. After PPPoE 
Discovery and LCP phase is successfully negotiated, when the crafted PAP 
Authenticate-Request is received, jpppd crashes and no response is sent by the
broadband edge router to the subscriber. jpppd continues to crash every time 
the subscriber re-sends the PAP Authenticate-Request.

This issue only affects MX Series routers deployed as broadband edge (BBE) 
routers. Other configurations of MX Series routers that do not enable BBE 
functionality are unaffected by this vulnerability.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-6382.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 13.3R6, 14.1R4, 14.1X50-D70, 14.2R2, and all subsequent 
releases.

This issue is being tracked as PR 1040665 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

If possible, discontinue the use of PAP authentication for PPP subscribers.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-6382: jpppd core when MX Series router receives crafted PAP 
    Authenticate-Request

CVSS Score:

7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2015-01 Security Bulletin: Junos: Firewall filter fails to match on port 
(CVE-2014-6383)

Product Affected:

The issue only affects routers utilizing Trio-based PFE modules running Junos
OS 13.3R3, 14.1R1, and 14.1R2

Problem:

When configuring a stateless firewall filter on a system with Trio-based PFE 
modules (e.g. MX Series), any source or destination port matching condition 
may fail to match intended packets, causing the filter to not execute the 
actions specified in the 'then' clause. Depending on the intent and design of
the interface filter, this match failure may have unexpected impact on the 
router or follow-on filter clauses. For example, if traffic with a specific 
destination port was designed to be accepted, a later "reject all" clause may
inadvertently discard wanted traffic. Conversely, if certain destination ports
are meant to be dropped, malicious traffic may be consumed by the RE or 
forwarded on to downstream routers.

This issue only affects routers running Junos OS 13.3R3, 14.1R1, and 14.1R2. 
Additionally, this issue only affects IPv4 traffic. IPv6 port matching filters
are unaffected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-6383.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 13.3R3-S3, 13.3R4, 14.1R3, 14.2R1, and all subsequent 
releases.

This issue is being tracked as PR 1003494 and is visible on the Customer 
Support website.

Note: While the vulnerability does not impact versions of Junos prior to 
13.3R3, the actual code modified to resolve the issue existed in earlier 
releases. For this reason, the prsearch tool will report fixes in Junos OS 
12.3R8 and 13.2R6, even though the vulnerability was never exposed in these 
releases.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

No known workaround exists for this issue.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication

Related Links:

    KB25385: A mapping between chipset type and PFE module

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-6383: Firewall filter fails to match on port

CVSS Score:

5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2015-01 Security Bulletin: Junos: Privilege escalation vulnerability 
(CVE-2014-6384)

Product Affected:

This issue can affect any product or platform running Junos OS 12.1 and later.

Problem:

Due to a problem with processing authorization attributes containing double 
quotes within the TACACS+ configuration, authenticated local users may be 
allowed to run commands that should be denied to them by policy. This 
represents a privilege escalation risk.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-6384.

Solution:

The following software releases have been updated to resolve this specific 
issue: 12.1X44-D45*, 12.1X46-D25, 12.1X47-D15, 12.3R9, 13.1R4-S3, 13.2R6, 
13.3R5, 14.1R3, 14.2R1 and all subsequent releases.

This issue is being tracked as PR 989199 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

*12.1X44-D45 will be available on or after 2015-01-22.

Workaround:

Do not use double quotes in TACACS+ configuration for user authorization 
attributes.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication.

2015-01-14: Corrected 12.1X44 release version number.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-6384: Privilege Escalation Vulnerability

CVSS Score:

6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2015-01 Security Bulletin: Junos: Fragmented OSPFv3 packets with IPsec AH may
trigger kernel crash (CVE-2014-6385)

Product Affected:

This issue can affect any product or platform running Junos OS with OSPFv3 
IPsec authentication enabled.

Problem:

When a specially crafted fragmented OSPFv3 packet containing an IPsec 
Authentication Header (AH) is received, it may trigger a kernel crash causing
the RE to restart. Repeated receipt of the crafted fragment can represent an 
extended denial of service for the router.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-6385.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 11.4R13, 12.1X44-D45, 12.1X46-D30, 12.1X47-D15, 12.2R9, 
12.3R7-S1, 12.3R8, 13.1R5, 13.2R6, 13.3R4, 14.1R2, 14.2R1, and all subsequent
releases.

This issue is being tracked as PR 993022 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

Discontinue use of the IPsec Authentication Header (AH) option for OSPFv3.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-6385: Fragmented OSPFv3 packets with IPsec AH enabled triggers 
    kernel crash

CVSS Score:

5.7 (AV:A/AC:M/Au:N/C:N/I:N/A:C)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2015-01 Security Bulletin: Junos: Multiple vulnerabilities in libxml2 library

Product Affected:

This issue can affect any product or platform running Junos OS.

Problem:

Multiple vulnerabilities in Junos OS have been resolved by updating the 
libxml2 library. Libxml2 was upgraded from 2.7.6 to 2.9.1 which resolves the 
following vulnerabilities:

CVE 		CVSS v2 base score 			Summary

CVE-2011-1944 	9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 	Denial of service or arbitrary
							code execution vulnerability.

CVE-2012-5134 	6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 	Denial of service or arbitrary
							code execution vulnerability.

CVE-2012-0841 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Denial of service vulnerability
							related to hash collisions.

CVE-2013-2877 	5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 	Denial of service related to 
							documents that end abruptly.

CVE-2013-0338 	4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 	Denial of service vulnerability
							related to entity expansion.

These issues can be potentially exploited through Junos OS services that make
use of the libxml2 library such as CLI, J-Web, JUNOScript or NETCONF to cause
a denial of service or code execution with elevated privileges on the device.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 11.4R13, 12.1X44-D35, 12.1X44-D40, 12.1X45-D30, 12.1X46-D25, 
12.1X47-D10, 12.2R9 12.3R7, 13.1R4-S2, 13.3R3, 14.1R2, 14.2R1 and all 
subsequent releases (i.e. all releases built after 11.4R13).

This issue is being tracked as PR 984070 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

Use access lists or firewall filters to limit access to the router only from 
trusted hosts or users.

Disabling J-WEB, JUNOScript, NETCONF and restricting Junos CLI access to 
trusted users can help in reducing risks associated with these issues.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication.

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

CVSS Score:

9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Risk Level:

Critical

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2015-01 Security Bulletin: Junos: Malformed BGP FlowSpec prefix triggers rpd 
crash (CVE-2014-6386)

Product Affected:

This issue can affect any product or platform running Junos OS with BGP 
FlowSpec enabled.

Problem:

Receipt of a malformed BGP FlowSpec prefix may cause the router to trigger an
assert (programmatic crash) when detecting a certain specification violation.
Rather than simply flagging, logging, and/or dropping the packet, the routing
process daemon (rpd) will crash and restart.

This issue was found during negative protocol testing and has not been seen in
a production network.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-6386.

Solution:

The program assert has been replaced with standard BGP error handling logic, 
allowing rpd to continue to function upon receipt of the malformed BGP 
FlowSpec prefix.

The following software releases have been updated to resolve this specific 
issue: Junos OS 11.4R8, 12.1X44-D35, 12.1X45-D25, 12.1X46-D20, 12.1X47-D10, 
12.2R9, 12.3R2-S3, 12.3R3, 13.1R4, 13.2R1, and all subsequent releases.

This issue is being tracked as PR 878438 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

Only configure the FlowSpec NLRI to a known trusted BGP peer. Using MD5 
authentication is also a good security practice.

In addition to the recommendations listed above, it is good security practice
to limit the exploitable attack surface of critical infrastructure networking
equipment. Use access lists or firewall filters to limit access to the router
via FlowSpec only from trusted, administrative networks or hosts.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-01-14: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
    Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2014-6386: Malformed BGP FlowSpec prefix triggers rpd crash

CVSS Score:

7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVLdCChLndAQH1ShLAQJ3ZRAAntAhs2sSRpl6edAaQMP96+9LSuQjcomq
HUTBkqmi8/0D1opkJuqoV2BUwn0XM+c/WnALVScQzM/w4SZ0qP18JJCNLUJYhBZy
3SUFqdjUMsV+FvJbwq5EwZJDr8ZX4xILDFfsfBjgsciGcZInPL9m+9K2YODjYBZk
flxabeJ9VhSIxcGcISvFtVG6XeyNnhTfWX/MLFiX6VdnuVJk8TV3MKT0JJAo2fIt
Q/Zs1e5kWKSVrF6MAMOxNgrOq8dMbhQOGPF7Tlbr0TzB4sGXMmbyJgUJSw7NB3tC
jD0/gqnPlvAxmAqyKr7CxMuWiHqAISi9HKFkDCw/a66cYoM0EltOKiNyfMkxw4a4
zVsUX8SBlzH5sF7gJUqTAMkoAgQApNSgrllABFek5H/UpktBfy/SxZ2I4l63YLUW
Zm3/B89vmFpU25oX192L04zq8lIrWjsBs1HtQPr6GqTgfpzYqfasN3TcM9DG3AMY
ConBF0DyUzRa1OZ/QcpTCnqsNU26qyXIgOczx8/TNIStcy4Kyud58IFVZdzchCTS
0PzeOwGKoUECg9jWVCn2OK0fbQGO2imYvnW5xsvegr5fXa5e6v8YkJxnwZWgaQj4
fTDKCodhS8rmDoq82855Ce0ob1+5JtaY57APGizfySVQFrqLzURUElYw8rsFY5zC
8W+FPRe+7k8=
=vfKf
-----END PGP SIGNATURE-----