Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.1087
NSM Web Server HTTP TRACE Method Enables Cross-Site Tracing Vulnerability
21 April 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper NSMXpress NSM3000 Appliance
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10452
- --------------------------BEGIN INCLUDED TEXT--------------------
NSM Web Server HTTP TRACE Method Enables Cross-Site Tracing Vulnerability
Categories:
Management SW
NSMXpress
NSM3000
SIRT
SIRT Advisory
Security Advisories ID: JSA10452
Last Updated: 17 Apr 2015
Version: 4.0
Legacy Advisory Id:
PSN-2010-08-895
Product Affected:
NSMXpressNSM3000NSM Appliance
Problem:
The web server in NSM supports the HTTP TRACE method. When the HTTP TRACE
method is enabled, the web server echoes back all information sent to it by
the client, typically for debugging or other diagnostic purposes.
An attacker who has created or inserted malicious instructions into a web page
can cause a web browser to send trace requests to an affected web server, thus
causing it to echo the web traffic back to the client system. The reflected
traffic will include any authentication credentials that were transmitted in
the forward traffic. The credentials can be recovered and exploited to gain
unauthorized access to the affected system.
Disabling the HTTP TRACE method removes the vulnerability described above.
Solution:
This issue is fixed by "NSM Appliance Generic Offline Upgrade Package_v3 -
CentOS 5.x" or "NSM Appliance Generic Online Upgrade Script_v3_CentOS5.x"
(released Sep 30, 2014) or later.
These are available for download from
https://www.juniper.net/support/downloads/?p=nsm#sw. A viable workaround can
be applied with the instructions described in "KB 14959: How to disable the
web server HTTP TRACE method on NSMXpress" and duplicated below.
This is a zero-day issue that affects all versions of all NSM products except
NSM Server. Note that NSM Server does not include the possibly-affected web
server, and depends on the web server supplied and maintained separately on
the customer's own host system. The web server in such systems may or may not
be affected. Customers using NSM Server are encouraged to investigate
independently to determine if the web server has the HTTP TRACE method
available and enabled, and take corrective action if necessary.
Workaround:
To disable the HTTP TRACE method:
Login as admin and enter "sudo su - root" on the NSM system.
Use "vi" to edit the /etc/httpd/conf/httpd.conf file.
If it is not already present, then add the following line at the end of
the file:
TraceEnable off
Restart the httpd process with "/etc/init.d/httpd restart" or reboot the
device.
After the change has been made, any attempt to request HTTP TRACE should
return a "403 Forbidden" error message, and text transmitted by the client
browser should not be echoed back automatically by the web server.
Implementation:
NSM Maintenance Releases are available at http://support.juniper.net/ from the
"Download Software" links. If a Maintenance Release is not adequate and access
to NSM patches is needed, open a customer support case. A JTAC engineer will
review your request and respond, ensuring that you will be provided with the
most appropriate Patch Release for your specific situation.
Also please note, as stated above, that NSM Server does not include the
possibly-affected web server. Investigating and correcting the web server in
such a situation is the responsibility of the customer.
Modification History:
2010-11-08: Initial publication.
2015-04-17: Updated solution.
Related Links:
How to disable the web server HTTP TRACE method on NSMXpress
The Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Overview of the Juniper Networks SIRT Monthly Security Bulletin
Publication Process
How to Contact the Juniper Networks Security Incident Response Team
(Juniper SIRT)
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Risk Level:
Medium
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at "KB 16446
Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVTWi6RLndAQH1ShLAQIbFxAAi+alMr489521owPkjmhMasgLUhffcRUp
ea2eJozLFOFqSkBG/QMijcTGp2J8gCRxAmTX/HcgYF/Tuvn6y80EBFqFv0oWkhyn
mkVqgOYJodEYaxrjz4MVAR5VqT4bTnRt50fKMza6uxBauqLaUKxBqcMO5a5HR5Rv
Wd8Ova6MW6BJhzIsQLN2TNnZCE/jTc/EBhTWm4kfOhaCWUWZI8KSJC0mw4pi6OJH
i089g1UazbCbqECT581x3kH15ryR8r0dsnw21Y1fL/vD3YJ1tpayI9nFUTynJpo5
AeZO2LAt2+wIq7YBR2sa3uTOdpPcGZU7eqtb7S9GKqT7grGDIpvK4c+6Qmimhxb8
1IIiiR6VLoZyBEKXosOcoLlxXG6nCmhCf+yirZVRAltGJyURgdDovoh6Nk+6MrgN
Uj4j+XJuxRs1/sn103hRPebMUilz2VROWfg/63yBPFV+o232eL2GMtKDP/wLANRx
R4HeXE8cikWuDqh4jvG9ROpPNc+8lDGppT6eHBqXEyOIpjwlvoVqfcF2y376CfVQ
oi3iBp//QgK777rYaOs2FPH3yVad5kZHSBvIvkNw6gGLbaMK4P3fQA0MivM0Mf70
Y+sSNVYf3OcbURQEYUKlcyjMuMkcCY+RO3W2OcEcHBu8OSchLT5BGZ9O6kuweb6u
raHOvhh2WeA=
=e1vX
-----END PGP SIGNATURE-----