Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2600 Multiple vulnerabilities have been identified in Junos 15 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-7752 CVE-2015-7751 CVE-2014-6450 CVE-2014-6448 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10695 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10699 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10707 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10708 Comment: This bulletin contains four (4) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2015-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Python on Junos (CVE-2014-6448) Categories: Junos Router Products M-series T-series MX-series Switch Products EX Series QFX Series SIRT Advisory Security Advisories ID: JSA10695 Last Updated: 14 Oct 2015 Version: 3.0 Product Affected: This issue can affect any product or platform running Junos OS releases 13.2, 13.2X51, 13.2X52 and 13.3. Problem: Multiple vulnerabilities in Python on Junos may allow an authenticated user with shell access on the Junos device to run arbitrary python code, bypassing system protections that prevent running untrusted code. This can potentially enable elevation of privileges to gain complete control of the device. These issues were found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. No other Juniper Networks products or platforms are affected by this issue. These issues is assigned CVE-2014-6448. Solution: The following software releases have been updated to resolve these specific issues: Junos OS 13.2R5, 13.3R3 and all subsequent releases. These issues are being tracked as PR 971889, 971893, 971941, 972273, 968728, 968731 and are visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Use access lists or firewall filters to limit access to the devices CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-10-14: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-6448: Multiple privilege escalation vulnerabilities in Python on Junos CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" - ------------------------------------------------------------------------------- 2015-10 Security Bulletin: Junos: Crafted packets cause mbuf chain corruption which may result in kernel panic (CVE-2014-6450) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10699 Last Updated: 14 Oct 2015 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS with IPv6 enabled. Problem: Specially crafted IPv6 packets can trigger mbuf chain corruption, which may eventually lead to a kernel panic in Junos OS. Devices not configured for IPv6 are unaffected by this vulnerability. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue is assigned CVE-2014-6450. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12-S4, 11.4R13, 12.1X44-D41, 12.1X46-D26, 12.1X47-D11/D15, 12.2R9, 12.2X50-D70, 12.3R8, 12.3X48-D10, 12.3X50-D42, 13.1R4-S3, 13.1R5, 13.1X49-D42, 13.1X50-D30, 13.2R6, 13.2X51-D26, 13.2X52-D15, 13.3R3-S3, 13.3R4, 14.1R3, 14.2R1, 15.1R1, 15.1X49-D10 and all subsequent releases. This issue is being tracked as PR 1016371 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: No known workaround exists for this issue. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-10-14: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2014-6450: Crafted packet causes mbuf chain corruption which may result in kernel panic CVSS Score: 7.5 (CVSS:3.0:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" - ------------------------------------------------------------------------------- 2015-10 Security Bulletin: Junos: Corrupt pam.conf file allows unauthenticated root access (CVE-2015-7751) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10707 Last Updated: 14 Oct 2015 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS. Problem: When the pam.conf file is corrupted in certain ways, it may allow connection to the device as the root user with no password. This "fail-open" behavior allows an attacker who can specifically modify the file to gain full access to the device. Note that inadvertent manipulation of the pam.conf by an authorized administrator can also lead to unauthenticated root access to the device. Extreme care should be taken by administrators to avoid modifying pam.conf directly. While the standalone vulnerability may not be directly exploitable, this issue increases the severity of other attacks that may be chained together to launch a multi-stage advanced attack against the device. This issue is assigned CVE-2015-7751. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R9, 12.3X48-D15, 13.2R7, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X50-D105, 14.1X51-D70, 14.1X53-D25, 14.1X55-D20, 14.2R1, 15.1F2, 15.1R1, 15.1X49-D10, and all subsequent releases. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue is being tracked as PR 965378 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Edit the filesystem flags on pam.conf to add 'sappend' (system append-only flag): % chflags sappend /var/etc/pam.conf This will ensure that the file cannot be truncated (cannot be written to at any point other than at the end of the file), protecting the integrity of the file from random or malicious corruption. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-10-14: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2015-7751: Corrupt pam.conf file allows unauthenticated root access CVSS Score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" - ------------------------------------------------------------------------------- 2015-10 Security Bulletin: Junos: SSH allows unauthenticated remote user to consume large amounts of resources (CVE-2015-7752) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10708 Last Updated: 14 Oct 2015 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS. Problem: The SSH server used in Junos allows an unauthenticated remote attacker to consume large amounts of CPU time prior to authentication, possibly leading to a partial Denial of Service attack. The attacker must be able to reach the device via SSH through any existing access lists or firewall filters, and the issue only occurs if SSH is enabled. This issue is assigned CVE-2015-7752. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R10, 12.3X48-D10, 13.2R8, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X53-D25, 14.2R3, 15.1R1, 15.1X49-D20, and all subsequent releases. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue is being tracked as PR 1058906 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Use access lists or firewall filters to limit access to the device via SSH only from trusted hosts. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-10-14: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2015-7752: SSH allows unauthenticated remote user to consume large amounts of resources CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories" - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVh8vO36ZAP0PgtI9AQJ4fBAAmobXeJ2Or3OAbWpsiTZaREdnKlE2Xwws m6A4wIc5x25YKKRck5yem9DGJegaEKKksbHFE0fpU3zILi7iZpDRkQgJ4TlYtMpI gTJAw/lZ9PlRXoS/BORFxt5IOlb4KkOCM5kxhNyNnTLIqTeKjyUCTjll+EdFesXE n1jDIwgKhNHhxG1j0TBwNOrhmLd2QEV1c0HNLNI+WqDE/0fwyzV4M372qGNrrVK1 rsPw85Ljig4k94YtKVto4Q12mhexqNzGMiWf3WfilZeqgZZyIVZ2HM89+wLiHkQx exuc0+iQOaqj0W0572UyxSy4njZ/Ky6vrylGFD8WtxTy9Dpcq2pJse8uG9y7Kt+W ucOIXbU8Q6irJqTchshy28CB4nXHe98cV6syZfl6nn6A3S0AS26I/lKpRtk/j68j MsCUgdCQj1Ux4PCD+N4RVF5L1CZFH6ltTf9h56L4xQFlddDkwIjjmU1CpWID15/1 jXZ/knm0eoQWh3ktHN2zXVysAu/IzDejbKrcTN5pP0LIFZinWDAs6z4jeNnQalPY Qvvq5ucaUdJO2a8gV6B+NuPMI7RBcTbKuz0p5xtwhgkwyqheNap/lMeAeAI8aFVp 9P9a+hNin5uStBwzdDMdDZGcVaOkuhzn/BH01wR5vrGeDtWKPq/fd0ksIoN/EuUw H2Gx23/S960= =RzQr -----END PGP SIGNATURE-----