Operating System:



15 October 2015

Protect yourself against future threats.

Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

        2015-10 Security Bulletin: Junos: FTPS through SRX opens up
           wide range of data channel TCP ports (CVE-2015-5361)
                              15 October 2015


        AusCERT Security Bulletin Summary

Product:           Juniper SRX Series
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Reduced Security -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-5361  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

2015-10 Security Bulletin: Junos: FTPS through SRX opens up wide range of data
channel TCP ports (CVE-2015-5361)




    SRX Series

    SIRT Advisory

Security Advisories ID: JSA10706

Last Updated: 14 Oct 2015

Version: 2.0

Product Affected:

This issue can affect all SRX Series services gateways with the FTPS 
Application Layer Gateway (ALG) enabled with the ftps-extensions option.



For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted
control channel and open related sessions for the FTP data channel. These 
related sessions (gates) are specific to source and destination IPs and ports
of client and server.

The design intent of the ftps-extensions option (which is disabled by default)
is to provide similar functionality when the SRX secures the FTP/FTPS client.
As the control channel is encrypted, the FTP ALG cannot inspect the port 
specific information and will open a wider TCP data channel (gate) from client
IP to server IP on all destination TCP ports. In FTP/FTPS client environments
to an enterprise network or the Internet, this is the desired behavior as it 
allows firewall policy to be written to FTP/FTPS servers on well-known control
ports without using a policy with destination IP ANY and destination port ANY.


The ftps-extensions option is not intended or recommended where the SRX 
secures the FTPS server, as the wide data channel session (gate) will allow 
the FTPS client temporary access to all TCP ports on the FTPS server. The data
session is associated to the control channel and will be closed when the 
control channel session closes. Depending on the configuration of the FTPS 
server, supporting load-balancer, and SRX inactivity-timeout values, the 
server/load-balancer and SRX may keep the control channel open for an extended
period of time, allowing an FTPS client access for an equal duration.

Note that the ftps-extensions option is not enabled by default.

This issue is assigned CVE-2015-5361.


The overall behavior of the FTP ALG with the ftps-extensions option is 
intended behavior and will not change. The key component to this advisory is 
increasing user awareness of the wide TCP data channel (gate) creation, 
allowing creation of any new sessions from client to server, and potential 
implications where the SRX protects the FTPS server and the 
server/load-balancer allows the control channel to remain open for an extended

Investigation into the issue identified two issues applicable to environments
where the SRX protects both FTPS clients and servers, as well as uses FTP and
FTPS over the same TCP ports to different servers.

Due to the recent changes of OpenSSL, the FTP ALG without the 
ftps-extensions option may block FTPS commands over the FTP control channel. 
This is client and server specific, and was observed with FTPS clients that 
use recent versions of OpenSSL. This may result in security administrators 
enabling the ftps-extensions option with the intent of allowing the commands 
to pass, but inadvertently allowing wide gate creation. This was observed in a
configuration with simultaneous FTPS client/server use, with use of the same 
ports for FTP and FTPS traffic.

The ftps-extension option is not supported when the SRX performs a 
destination NAT of the FTPS server, as the ALG cannot inspect the control 
channel to modify the servers IP address signaled to the client. In an 
environment of simultaneous FTP and FTPS server use with the ftps-extensions 
option enabled, the gate is created but is generally unusable by the FTPS 
client. However, an FTPS client with knowledge of the servers real IP address,
its NATd IP address, and routing reachability to the servers real IP address 
may be able to use the wide gate to reach the FTPS server.

The software releases listed below resolves these issues as follows:

The FTP ALG without the ftps-extensions option will allow FTPS related 
commands to pass over the FTP control channel. As the ftps-extension option is
not enabled, the wide TCP data channel is not created.

If the FTPS server is NATd by the SRX (destination or static NAT), the 
wide TCP data channel is not created.

The following software releases have been updated to resolve these specific 
issues: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3X48-D15, 
15.1X49-D10, and all subsequent releases.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue is being tracked as PR 1067419 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.


Do not enable the 'ftps-extensions' option if FTPS is not needed. The 
'ftps-extensions' option is disabled by default.


How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2015-10-14: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
    Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security

    Report a Vulnerability - How to Contact the Juniper Networks Security 
    Incident Response Team

    CVE-2015-5361: FTPS through SRX opens up wide range of data channel TCP 

CVSS Score:

6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Risk Level:


Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB16446 "Common
Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967