-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
2015-10 Security Bulletin: Junos: FTPS through SRX opens up
wide range of data channel TCP ports (CVE-2015-5361)
15 October 2015
AusCERT Security Bulletin Summary
Product: Juniper SRX Series
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Reduced Security -- Remote/Unauthenticated
CVE Names: CVE-2015-5361
- --------------------------BEGIN INCLUDED TEXT--------------------
2015-10 Security Bulletin: Junos: FTPS through SRX opens up wide range of data
channel TCP ports (CVE-2015-5361)
Security Advisories ID: JSA10706
Last Updated: 14 Oct 2015
This issue can affect all SRX Series services gateways with the FTPS
Application Layer Gateway (ALG) enabled with the ftps-extensions option.
For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted
control channel and open related sessions for the FTP data channel. These
related sessions (gates) are specific to source and destination IPs and ports
of client and server.
The design intent of the ftps-extensions option (which is disabled by default)
is to provide similar functionality when the SRX secures the FTP/FTPS client.
As the control channel is encrypted, the FTP ALG cannot inspect the port
specific information and will open a wider TCP data channel (gate) from client
IP to server IP on all destination TCP ports. In FTP/FTPS client environments
to an enterprise network or the Internet, this is the desired behavior as it
allows firewall policy to be written to FTP/FTPS servers on well-known control
ports without using a policy with destination IP ANY and destination port ANY.
The ftps-extensions option is not intended or recommended where the SRX
secures the FTPS server, as the wide data channel session (gate) will allow
the FTPS client temporary access to all TCP ports on the FTPS server. The data
session is associated to the control channel and will be closed when the
control channel session closes. Depending on the configuration of the FTPS
server, supporting load-balancer, and SRX inactivity-timeout values, the
server/load-balancer and SRX may keep the control channel open for an extended
period of time, allowing an FTPS client access for an equal duration.
Note that the ftps-extensions option is not enabled by default.
This issue is assigned CVE-2015-5361.
The overall behavior of the FTP ALG with the ftps-extensions option is
intended behavior and will not change. The key component to this advisory is
increasing user awareness of the wide TCP data channel (gate) creation,
allowing creation of any new sessions from client to server, and potential
implications where the SRX protects the FTPS server and the
server/load-balancer allows the control channel to remain open for an extended
Investigation into the issue identified two issues applicable to environments
where the SRX protects both FTPS clients and servers, as well as uses FTP and
FTPS over the same TCP ports to different servers.
Due to the recent changes of OpenSSL, the FTP ALG without the
ftps-extensions option may block FTPS commands over the FTP control channel.
This is client and server specific, and was observed with FTPS clients that
use recent versions of OpenSSL. This may result in security administrators
enabling the ftps-extensions option with the intent of allowing the commands
to pass, but inadvertently allowing wide gate creation. This was observed in a
configuration with simultaneous FTPS client/server use, with use of the same
ports for FTP and FTPS traffic.
The ftps-extension option is not supported when the SRX performs a
destination NAT of the FTPS server, as the ALG cannot inspect the control
channel to modify the servers IP address signaled to the client. In an
environment of simultaneous FTP and FTPS server use with the ftps-extensions
option enabled, the gate is created but is generally unusable by the FTPS
client. However, an FTPS client with knowledge of the servers real IP address,
its NATd IP address, and routing reachability to the servers real IP address
may be able to use the wide gate to reach the FTPS server.
The software releases listed below resolves these issues as follows:
The FTP ALG without the ftps-extensions option will allow FTPS related
commands to pass over the FTP control channel. As the ftps-extension option is
not enabled, the wide TCP data channel is not created.
If the FTPS server is NATd by the SRX (destination or static NAT), the
wide TCP data channel is not created.
The following software releases have been updated to resolve these specific
issues: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3X48-D15,
15.1X49-D10, and all subsequent releases.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
No other Juniper Networks products or platforms are affected by this issue.
This issue is being tracked as PR 1067419 and is visible on the Customer
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
Do not enable the 'ftps-extensions' option if FTPS is not needed. The
'ftps-extensions' option is disabled by default.
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
2015-10-14: Initial publication
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVE-2015-5361: FTPS through SRX opens up wide range of data channel TCP
Information for how Juniper Networks uses CVSS can be found at KB16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----