-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.1087
 NSM Web Server HTTP TRACE Method Enables Cross-Site Tracing Vulnerability
                               21 April 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper NSMXpress NSM3000 Appliance
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Unauthorised Access -- Remote with User Interaction
Resolution:        Patch/Upgrade

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10452

- --------------------------BEGIN INCLUDED TEXT--------------------

NSM Web Server HTTP TRACE Method Enables Cross-Site Tracing Vulnerability

Categories:

    Management SW

    NSMXpress

    NSM3000

    SIRT

    SIRT Advisory

Security Advisories ID: JSA10452

Last Updated: 17 Apr 2015

Version: 4.0

Legacy Advisory Id:

PSN-2010-08-895

Product Affected:

NSMXpressNSM3000NSM Appliance

Problem:

The web server in NSM supports the HTTP TRACE method. When the HTTP TRACE 
method is enabled, the web server echoes back all information sent to it by 
the client, typically for debugging or other diagnostic purposes.

An attacker who has created or inserted malicious instructions into a web page
can cause a web browser to send trace requests to an affected web server, thus
causing it to echo the web traffic back to the client system. The reflected 
traffic will include any authentication credentials that were transmitted in 
the forward traffic. The credentials can be recovered and exploited to gain 
unauthorized access to the affected system.

Disabling the HTTP TRACE method removes the vulnerability described above.

Solution:

This issue is fixed by "NSM Appliance Generic Offline Upgrade Package_v3 - 
CentOS 5.x" or "NSM Appliance Generic Online Upgrade Script_v3_CentOS5.x" 
(released Sep 30, 2014) or later.

These are available for download from 
https://www.juniper.net/support/downloads/?p=nsm#sw. A viable workaround can 
be applied with the instructions described in "KB 14959: How to disable the 
web server HTTP TRACE method on NSMXpress" and duplicated below.

This is a zero-day issue that affects all versions of all NSM products except
NSM Server. Note that NSM Server does not include the possibly-affected web 
server, and depends on the web server supplied and maintained separately on 
the customer's own host system. The web server in such systems may or may not
be affected. Customers using NSM Server are encouraged to investigate 
independently to determine if the web server has the HTTP TRACE method 
available and enabled, and take corrective action if necessary.

Workaround:

To disable the HTTP TRACE method:

    Login as admin and enter "sudo su - root" on the NSM system.

    Use "vi" to edit the /etc/httpd/conf/httpd.conf file.

    If it is not already present, then add the following line at the end of 
the file:

            TraceEnable off

    Restart the httpd process with "/etc/init.d/httpd restart" or reboot the 
device.

After the change has been made, any attempt to request HTTP TRACE should 
return a "403 Forbidden" error message, and text transmitted by the client 
browser should not be echoed back automatically by the web server.

Implementation:

NSM Maintenance Releases are available at http://support.juniper.net/ from the
"Download Software" links. If a Maintenance Release is not adequate and access
to NSM patches is needed, open a customer support case. A JTAC engineer will 
review your request and respond, ensuring that you will be provided with the 
most appropriate Patch Release for your specific situation.

Also please note, as stated above, that NSM Server does not include the 
possibly-affected web server. Investigating and correcting the web server in 
such a situation is the responsibility of the customer.

Modification History:

2010-11-08: Initial publication.

2015-04-17: Updated solution.

Related Links:

    How to disable the web server HTTP TRACE method on NSMXpress

    The Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

    Overview of the Juniper Networks SIRT Monthly Security Bulletin 
Publication Process

    How to Contact the Juniper Networks Security Incident Response Team 
(Juniper SIRT)

CVSS Score:

5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Risk Level:

Medium

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at "KB 16446 
Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVTWi6RLndAQH1ShLAQIbFxAAi+alMr489521owPkjmhMasgLUhffcRUp
ea2eJozLFOFqSkBG/QMijcTGp2J8gCRxAmTX/HcgYF/Tuvn6y80EBFqFv0oWkhyn
mkVqgOYJodEYaxrjz4MVAR5VqT4bTnRt50fKMza6uxBauqLaUKxBqcMO5a5HR5Rv
Wd8Ova6MW6BJhzIsQLN2TNnZCE/jTc/EBhTWm4kfOhaCWUWZI8KSJC0mw4pi6OJH
i089g1UazbCbqECT581x3kH15ryR8r0dsnw21Y1fL/vD3YJ1tpayI9nFUTynJpo5
AeZO2LAt2+wIq7YBR2sa3uTOdpPcGZU7eqtb7S9GKqT7grGDIpvK4c+6Qmimhxb8
1IIiiR6VLoZyBEKXosOcoLlxXG6nCmhCf+yirZVRAltGJyURgdDovoh6Nk+6MrgN
Uj4j+XJuxRs1/sn103hRPebMUilz2VROWfg/63yBPFV+o232eL2GMtKDP/wLANRx
R4HeXE8cikWuDqh4jvG9ROpPNc+8lDGppT6eHBqXEyOIpjwlvoVqfcF2y376CfVQ
oi3iBp//QgK777rYaOs2FPH3yVad5kZHSBvIvkNw6gGLbaMK4P3fQA0MivM0Mf70
Y+sSNVYf3OcbURQEYUKlcyjMuMkcCY+RO3W2OcEcHBu8OSchLT5BGZ9O6kuweb6u
raHOvhh2WeA=
=e1vX
-----END PGP SIGNATURE-----