Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0957 Multiple vulnerabilities have been identified in Juniper Junos 14 April 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-1271 CVE-2016-1270 CVE-2016-1269 CVE-2016-0778 CVE-2016-0777 CVE-2015-3153 CVE-2015-3148 CVE-2015-3145 CVE-2015-3144 CVE-2015-3143 CVE-2014-8151 CVE-2014-8150 CVE-2014-3707 CVE-2014-3620 CVE-2014-3613 CVE-2014-0015 Reference: ASB-2016.0004 ASB-2015.0103 ASB-2015.0070 ASB-2015.0009 ESB-2014.2094 ESB-2014.1559 ESB-2014.0129 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10734 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10736 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10737 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10739 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10743 Comment: This bulletin contains five (5) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2016-04 Security Bulletin: Junos: OpenSSH Client Information Leak and Buffer Overflow in roaming support (CVE-2016-0777, CVE-2016-0778) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10734 Last Updated: 13 Apr 2016 Version: 1.0 Product Affected: These issues can affect any product or platform running Junos OS. Problem: CVE-2016-0777 and CVE-2016-0778 were released by Qualys and cross-announced by OpenSSH on 2016-01-14. A brief summary of the issue from the announcement follow, full details are available at: https://www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt "Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based)." The attack vector leading to potential compromise in these scenarios relates to a session initated from a Junos OS device using the SSH client to an external SSH server. No ScreenOS products or platforms are affected by these issues. Juniper continues to investigate other products and services. As investigations are completed this JSA will be updated. These issues have been assigned CVE-2016-0777 and CVE-2016-0778. Solution: The following software releases have been updated to resolve these specific issues with the SSH client: Junos OS 12.1X46-D45 12.1X47-D35 12.3R12 12.3X48-D30 13.3R9 14.1R7 14.2R6 15.1F5 15.1R3 15.1X49-D40 and all subsequent releases. These issues are being tracked and are visible on the Customer Support website under the following PR: 1154016 KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: It is good security practice to connect only to known, trusted, SSH servers from critical infrastructure networking equipment. Use outgoing access lists or egress firewall filters to limit access from sensitive network devices to only trusted, administrative networks or hosts. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-04-13: Initial publication Related Links: KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-0777: Information Leak CVE-2016-0778: Buffer Overflow CVSS Score: 5.0 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2016-04 Security Bulletin: Junos: Manipulating TCP timestamps can lead to resource exhaustion denial of service (CVE-2016-1269) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10736 Last Updated: 13 Apr 2016 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS. Problem: By manipulating TCP timestamps within a TCP session to a reachable listening port, it may be possible for an attacker to trigger a persistent buffer/socket resource exhaustion denial of service DoS attack. Normally, a networked device will time out a session after a number of unsuccessful retransmission events, occurring at increasing intervals. However, in this case, a crafted sequence of TCP packets will cause the device to not try to retransmit, allowing the attacker to create sockets that will be long-lived without the need to maintain state on them. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2016-1269. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D60, 12.1X46-D40, 12.1X47-D30, 12.3R11, 12.3X48-D20, 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R4-S1, 14.2R5, 15.1R2, 15.1X49-D30, 16.1R1, and all subsequent releases. This issue is being tracked as PR 1073571 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Use access lists or firewall filters to limit access to the router via TCP only from trusted hosts. In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit all administrative access to the router only from trusted, administrative networks or hosts. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-04-13: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-1269: Manipulating TCP timestamps can lead to resource exhaustion denial of service CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2016-04 Security Bulletin: Junos: RPD cores on receiving a crafted L2VPN family BGP update (CVE-2016-1270) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10737 Last Updated: 13 Apr 2016 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS with family BGP based L2VPN and/or VPLS configured Problem: Upon receipt of a specially crafted BGP 'family l2vpn' UPDATE message, the Junos OS rpd daemon will crash and restart. Receipt of a constant stream of these crafted updates could lead to an extended denial of service. This issue only affects BGP based L2VPN and VPLS configurations. No other configurations are affected. The issue is not applicable to BGP Route Reflectors (RR). Note that this issue can only be triggered from inside a customer's network. MPLS labels are not usually exchanged outside the protected network, and are usually only received from a PE or RR in the same network. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2016-1270. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D60, 12.1X46-D45, 12.1X47-D30, 12.3R9, 12.3X48-D20, 13.2R7, 13.2X51-D40, 13.3R6, 14.1R4, 14.2R2, 14.2R3, and all subsequent releases. This issue is being tracked as PR 1041189 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: While no single workaround is effective in all cases, the risk associated with this issue can be mitigated by applying access lists or firewall filters to limit access to the router's BGP port from trusted peers only. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-04-13: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-1270: RPD cores on receiving a crafted update from an L2VPN peer CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2016-04 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-1271) Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10739 Last Updated: 13 Apr 2016 Version: 1.0 Product Affected: These issues can affect any product or platform running Junos OS. Problem: Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device. These issues were found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. No other Juniper Networks products or platforms are affected by these issues. This set of issues has been assigned CVE-2016-1271. Solution: The following software releases have been updated to resolve these specific issues: Junos OS 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D25, 13.2R8, 13.3R7, 14.1R6, 14.2R4, 15.1R1, 15.1F2, 15.1X49-D15 and all subsequent releases. These issues are being tracked as PRs 973106, 442580, 980411, 1019669, 1069867, and 1069873, and are visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-04-13: Initial publication Related Links: KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-1271: Multiple privilege escalation vulnerabilities in Junos CLI CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - ------------------------------------------------------------------------------- 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in cURL and libcurl Categories: Junos Router Products J-series M-series T-series MX-series Security Products Switch Products EX Series SRX Series Security Advisories ID: JSA10743 Last Updated: 13 Apr 2016 Version: 1.0 Product Affected: This issue can affect any product or platform running Junos OS. Problem: Multiple vulnerabilities in Junos OS have been resolved by updating cURL and libcurl library. These are used to support downloading updates or importing data into a Junos device. Libcurl and cURL were upgraded from 7.36.0 to 7.42.1 which resolves the following vulnerabilities: CVE CVSS v2 base score CVE-2015-3144 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." CVE-2015-3145 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. CVE-2014-8151 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) The darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. CVE-2014-3613 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1. CVE-2014-3620 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain. CVE-2015-3143 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. CVE-2015-3148 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. CVE-2015-3153 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents. CVE-2014-3707 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) The curl_easy_duphandle function in libcurl 7.17.1 through 7.38.0, when running with the CURLOPT_COPYPOSTFIELDS option, does not properly copy HTTP POST data for an easy handle, which triggers an out-of-bounds read that allows remote web servers to read sensitive memory information. CVE-2014-8150 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CRLF injectionvulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL. CVE-2014-0015 4.0 (AV:N/AC:H/Au:N/C:P/I:P/A:N) cURL and libcurl 7.10.6 through 7.34.0, when more than one authentication method is enabled, re-uses NTLM connections, which might allow context-dependent attackers to authenticate as other users via a request. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D50 (pending release), 12.1X47-D40 (pending release), 12.3R11, 12.3X48-D30 (to be released by end of April, 2016), 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R2, 15.1X49-D40, 15.1X53-D35 and all subsequent releases. These issue was tracked as PR 1068204 and is visible on the Customer Support website. Workaround: Avoid using untrusted URLs to fetch updates or to import data into a Junos device. Implementation: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-04-13: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS Score: 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVw77MH6ZAP0PgtI9AQKiTRAA0xH0l1A4efZjyIl2MX9dlrm0a5ziX2ja 5kL1WFfE2Yr5D2I6uWdDvjT2z+qnEyHeQScasu5FXCAHnlAzPIO0NAo52pKM8RVz S9RKwiwkeeLQkND6iNzRQSc3AA3By4nftYYu6qanTD0guTiQwRTOq6jhoGHTenny gbFfyBGrR9HhWjitFjEr6T1+SHLQ7AO2rLA26rtyoMTJN+mP7VwxgqDpt6ttzcQz JHpzaFdtzTlD0LekPtSqfEsPmOv1iAKminyMvh4jbCx45kYMDDwmkaCsBR4B/vWy hM8gfjyK4p+MpcSGQXpPVHmxXNhwSnzlwxDz1mur4i481eC84Ev0g5prysFXy/6l XfNgcDRzeb0NAlPls+KfamnHAJc9aJStK4VqX0GdCwqhBzG9uOzlGXL3Sj1SbbbY IV498/b3FbXu14pUcaJEcDQV7QlH/IeK1J1naklcXqoXlZ+qJo28x/v3ZpWoakck SI+vAnU+pTZKdT+V4bOt+zKwrzzEMn4jcHo+Yy1lyuGwrrDWeCvXrPSsJtlxLBfL OWtW8WHCpRdiHuL2diRN94ZtwTuE9SnD6a638K3WgcUG3yI3oUsqo0hQ/F+HUsJe 0ErKs2hYzB4sCvjF0xvo2cIOANPFmRVIpSIlcxPq3LP8oueOQzSnaeykIRYxTPDR hUaIZdiIcDk= =MUPZ -----END PGP SIGNATURE-----