Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2600
Multiple vulnerabilities have been identified in Junos
15 October 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Root Compromise -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-7752 CVE-2015-7751 CVE-2014-6450
CVE-2014-6448
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10695
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10699
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10707
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10708
Comment: This bulletin contains four (4) Juniper Networks security
advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
2015-10 Security Bulletin: Junos: Multiple privilege escalation
vulnerabilities in Python on Junos (CVE-2014-6448)
Categories:
Junos
Router Products
M-series
T-series
MX-series
Switch Products
EX Series
QFX Series
SIRT Advisory
Security Advisories ID: JSA10695
Last Updated: 14 Oct 2015
Version: 3.0
Product Affected:
This issue can affect any product or platform running Junos OS releases 13.2,
13.2X51, 13.2X52 and 13.3.
Problem:
Multiple vulnerabilities in Python on Junos may allow an authenticated user
with shell access on the Junos device to run arbitrary python code, bypassing
system protections that prevent running untrusted code. This can potentially
enable elevation of privileges to gain complete control of the device.
These issues were found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
No other Juniper Networks products or platforms are affected by this issue.
These issues is assigned CVE-2014-6448.
Solution:
The following software releases have been updated to resolve these specific
issues: Junos OS 13.2R5, 13.3R3 and all subsequent releases.
These issues are being tracked as PR 971889, 971893, 971941, 972273, 968728,
968731 and are visible on the Customer Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
Workaround:
Use access lists or firewall filters to limit access to the devices CLI only
from trusted hosts.
Restrict access to the CLI to only highly trusted administrators.
Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
2015-10-14: Initial publication
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2014-6448: Multiple privilege escalation vulnerabilities in Python on
Junos
CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level: High
Risk Assessment: Information for how Juniper Networks uses CVSS can be found
at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories"
- -------------------------------------------------------------------------------
2015-10 Security Bulletin: Junos: Crafted packets cause mbuf chain corruption
which may result in kernel panic (CVE-2014-6450)
Categories:
Junos
Router Products
J-series
M-series
T-series
MX-series
Security Products
Switch Products
EX Series
SRX Series
Security Advisories ID: JSA10699
Last Updated: 14 Oct 2015
Version: 1.0
Product Affected:
This issue can affect any product or platform running Junos OS with IPv6
enabled.
Problem:
Specially crafted IPv6 packets can trigger mbuf chain corruption, which may
eventually lead to a kernel panic in Junos OS. Devices not configured for IPv6
are unaffected by this vulnerability.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue is assigned CVE-2014-6450.
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 11.4R12-S4, 11.4R13, 12.1X44-D41, 12.1X46-D26,
12.1X47-D11/D15, 12.2R9, 12.2X50-D70, 12.3R8, 12.3X48-D10, 12.3X50-D42,
13.1R4-S3, 13.1R5, 13.1X49-D42, 13.1X50-D30, 13.2R6, 13.2X51-D26, 13.2X52-D15,
13.3R3-S3, 13.3R4, 14.1R3, 14.2R1, 15.1R1, 15.1X49-D10 and all subsequent
releases.
This issue is being tracked as PR 1016371 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
Workaround:
No known workaround exists for this issue.
Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
2015-10-14: Initial publication
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2014-6450: Crafted packet causes mbuf chain corruption which may
result in kernel panic
CVSS Score: 7.5 (CVSS:3.0:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Risk Level: High
Risk Assessment: Information for how Juniper Networks uses CVSS can be found
at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories"
- -------------------------------------------------------------------------------
2015-10 Security Bulletin: Junos: Corrupt pam.conf file allows unauthenticated
root access (CVE-2015-7751)
Categories:
Junos
Router Products
J-series
M-series
T-series
MX-series
Security Products
Switch Products
EX Series
SRX Series
Security Advisories ID: JSA10707
Last Updated: 14 Oct 2015
Version: 1.0
Product Affected:
This issue can affect any product or platform running Junos OS.
Problem:
When the pam.conf file is corrupted in certain ways, it may allow connection
to the device as the root user with no password. This "fail-open" behavior
allows an attacker who can specifically modify the file to gain full access to
the device.
Note that inadvertent manipulation of the pam.conf by an authorized
administrator can also lead to unauthenticated root access to the device.
Extreme care should be taken by administrators to avoid modifying pam.conf
directly.
While the standalone vulnerability may not be directly exploitable, this issue
increases the severity of other attacks that may be chained together to launch
a multi-stage advanced attack against the device.
This issue is assigned CVE-2015-7751.
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R9, 12.3X48-D15,
13.2R7, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X50-D105, 14.1X51-D70, 14.1X53-D25,
14.1X55-D20, 14.2R1, 15.1F2, 15.1R1, 15.1X49-D10, and all subsequent releases.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue is being tracked as PR 965378 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
Workaround:
Edit the filesystem flags on pam.conf to add 'sappend' (system append-only
flag):
% chflags sappend /var/etc/pam.conf
This will ensure that the file cannot be truncated (cannot be written to at
any point other than at the end of the file), protecting the integrity of the
file from random or malicious corruption.
Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
2015-10-14: Initial publication
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2015-7751: Corrupt pam.conf file allows unauthenticated root access
CVSS Score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Risk Level: Medium
Risk Assessment: Information for how Juniper Networks uses CVSS can be found
at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories"
- -------------------------------------------------------------------------------
2015-10 Security Bulletin: Junos: SSH allows unauthenticated remote user to
consume large amounts of resources (CVE-2015-7752)
Categories:
Junos
Router Products
J-series
M-series
T-series
MX-series
Security Products
Switch Products
EX Series
SRX Series
Security Advisories ID: JSA10708
Last Updated: 14 Oct 2015
Version: 1.0
Product Affected:
This issue can affect any product or platform running Junos OS.
Problem:
The SSH server used in Junos allows an unauthenticated remote attacker to
consume large amounts of CPU time prior to authentication, possibly leading to
a partial Denial of Service attack. The attacker must be able to reach the
device via SSH through any existing access lists or firewall filters, and the
issue only occurs if SSH is enabled.
This issue is assigned CVE-2015-7752.
Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R10, 12.3X48-D10,
13.2R8, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X53-D25, 14.2R3, 15.1R1, 15.1X49-D20,
and all subsequent releases.
This issue was found during internal product security testing.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue is being tracked as PR 1058906 and is visible on the Customer
Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
Workaround:
Use access lists or firewall filters to limit access to the device via SSH
only from trusted hosts.
Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
2015-10-14: Initial publication
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2015-7752: SSH allows unauthenticated remote user to consume large
amounts of resources
CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Risk Level: Medium
Risk Assessment: Information for how Juniper Networks uses CVSS can be found
at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories"
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVh8vO36ZAP0PgtI9AQJ4fBAAmobXeJ2Or3OAbWpsiTZaREdnKlE2Xwws
m6A4wIc5x25YKKRck5yem9DGJegaEKKksbHFE0fpU3zILi7iZpDRkQgJ4TlYtMpI
gTJAw/lZ9PlRXoS/BORFxt5IOlb4KkOCM5kxhNyNnTLIqTeKjyUCTjll+EdFesXE
n1jDIwgKhNHhxG1j0TBwNOrhmLd2QEV1c0HNLNI+WqDE/0fwyzV4M372qGNrrVK1
rsPw85Ljig4k94YtKVto4Q12mhexqNzGMiWf3WfilZeqgZZyIVZ2HM89+wLiHkQx
exuc0+iQOaqj0W0572UyxSy4njZ/Ky6vrylGFD8WtxTy9Dpcq2pJse8uG9y7Kt+W
ucOIXbU8Q6irJqTchshy28CB4nXHe98cV6syZfl6nn6A3S0AS26I/lKpRtk/j68j
MsCUgdCQj1Ux4PCD+N4RVF5L1CZFH6ltTf9h56L4xQFlddDkwIjjmU1CpWID15/1
jXZ/knm0eoQWh3ktHN2zXVysAu/IzDejbKrcTN5pP0LIFZinWDAs6z4jeNnQalPY
Qvvq5ucaUdJO2a8gV6B+NuPMI7RBcTbKuz0p5xtwhgkwyqheNap/lMeAeAI8aFVp
9P9a+hNin5uStBwzdDMdDZGcVaOkuhzn/BH01wR5vrGeDtWKPq/fd0ksIoN/EuUw
H2Gx23/S960=
=RzQr
-----END PGP SIGNATURE-----