-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0988
          Multiple vulnerabilities have been identified in Junos
                               19 April 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper Junos
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise            -- Existing Account            
                   Increased Privileges       -- Existing Account            
                   Denial of Service          -- Remote/Unauthenticated      
                   Cross-site Request Forgery -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1267 CVE-2016-1264 CVE-2016-1261

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10723
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10730
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10725

Comment: This bulletin contains three (3) Juniper Networks security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2016-04 Security Bulletin: Junos: Multiple vulnerabilities in J-Web
(CVE-2016-1261)

Security Advisories ID:		JSA10723
Last Updated:			13 Apr 2016
Version:			1.0

Product Affected:

This issue can affect any product or platform running Junos OS with J-Web
enabled.

Problem:

Multiple vulnerabilities exist in J-Web input handling that may lead to
cross-site request forgery (CSRF) issues or cause a denial of J-Web service
(DoS). The cross-site request forgery vulnerabilities may allow malicious
content on third party websites to launch unauthorized access and actions
against J-Web via an administrative user's browser.

These issues were found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

This set of issues has been assigned CVE-2016-1261.

Solution:

The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X44-D55, 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D30,
13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R3, 15.1X49-D20,
and all subsequent releases.

These issues are being tracked as PRs 1085861, 1085470, 1085428, 1084495,
and 1082543, and are visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:

Disable J-Web, or limit access to only trusted hosts which may not be
compromised by cross-site attacks. For example, deploy jump hosts with no
Internet access that use anti-scripting techniques to mitigate potential
threats. Alternately, use a dedicated client and dedicated Web browser
that is not used to access other sites.

Implementation:

How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Modification History:

2016-04-13: Initial publication

Related Links:

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2016-1261: Multiple vulnerabilities in J-Web

CVSS Score:
7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2016-04 Security Bulletin: Junos: Lazy race condition in RPC allows an
authenticated user to improperly elevate privileges (CVE-2016-1267)

Security Advisories ID:		JSA10730
Last Updated:			13 Apr 2016
Version:			1.0

Product Affected:
This issue can affect any product or platform running Junos OS.

Problem:
A lazy race condition in RPC allows an authenticated user to elevate
privileges to take ownership of any file on the device. This can allow
an attacker to read, delete, or modify any file on the system. If the
attacker modifies the files that control authentication operations, the
attacker can potentially gain root access.

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1267.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R11, 12.3X48-D20,
13.2R8, 13.2X51-D39, 13.2X51-D40, 13.3R7, 14.1R6, 14.1X53-D30, 14.2R3-S4,
14.2R4, 15.1F2, 15.1R2, 15.1X49-D20, 16.1R1, and all subsequent releases.

This issue is being tracked as PR 1078027 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:

Methods which may reduce the risk for exploitation of this problem, but
which do not resolve the underlying problem include:

    Disabling...
	any existing Junos OS Op scripts or removing them from the
	environment.
	JUNOScript administration to the system.
	Netconf administration to the system.
	XNM services.
    Only allow access to XNM, Netconf from trusted administrative networks
    and hosts.
    Only allow trusted accounts access to execuite Op scripts.
    Using administrative jump boxes with no internet access and employ
    anti-scripting techniques.
    In addition to the recommendations listed above, it is good security
    practice to limit the exploitable attack surface of critical
    infrastructure networking equipment. Use access lists or firewall
    filters to limit access to the devices as listed above.

Implementation:
How to obtain fixed software:
Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.


Modification History:

2016-04-13: Initial publication

Related Links:

    KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories."

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

    CVE-2016-1267: Lazy race condition in RPC allows an authenticated user
    to improperly elevate privileges

CVSS Score:
6.7 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

Risk Level:
Medium

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- -------------------------------------------------------------------------------

2016-04 Security Bulletin: Junos: A race condition in the Op script Op
URL option allows an authenticated remote attacker to fully compromise
the system (CVE-2016-1264)

Security Advisories ID:		JSA10725
Last Updated:			13 Apr 2016
Version:			1.0

Product Affected:
This issue can affect any product or platform running Junos OS.

Problem:

The Op script Op URL option can be used by an authenticated malicious
actor performing a series of steps to take advantage of a race condition
to ultimately compromise the system by multiple attack vectors.
This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this
vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1264.

Solution:
The following software releases have been updated to resolve this specific
issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R11, 12.3X48-D20,
12.3X50-D50, 13.2R8, 13.2X51-D39, 13.2X51-D40, 13.2X52-D30, 13.3R7, 14.1R6,
14.1X53-D30, 14.2R4, 15.1F2, 15.1R2, 15.1X49-D10, 15.1X49-D20, 16.1R1 and
all subsequent releases.

This issue is being tracked as PR 1088339 and is visible on the Customer
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.

Workaround:
Entering the following set will disable the Op URL option:
set system scripts op no-allow-url

Additionally, disabling any existing Junos OS Op scripts using the Op
URL option or removing them from the environment may reduce the risk for
exploitation of this problem, but which does not resolve the underlying
problem.

Implementation:
How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available
Maintenance Release of each supported Junos version. In some cases,
a Maintenance Release is not planned to be available in an appropriate
time-frame. For these cases, Service Releases are made available in order
to be more timely. Security Advisory and Security Notices will indicate
which Maintenance and Service Releases contain fixes for the issues
described. Upon request to JTAC, customers will be provided download
instructions for a Service Release. Although Juniper does not provide
formal Release Note documentation for a Service Release, a list of "PRs
fixed" can be provided on request.

Modification History:

2016-04-13: Initial publication

Related Links:

    CVE-2016-1264: A race condition in op URL allows a remote attacker to
    gain control of the remote system

    KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories."

    KB16613: Overview of the Juniper Networks SIRT Quarterly Security
    Bulletin Publication Process

    KB16765: In which releases are vulnerabilities fixed?

    KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
    Security Advisories

    Report a Vulnerability - How to Contact the Juniper Networks Security
    Incident Response Team

CVSS Score:
8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
High

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVxWGpX6ZAP0PgtI9AQJ/Lw/+MLCEJ4kRjsh9rN4kN3pNZatPcvKVpvaP
bV2QGYz/ooADlrznsnyftffhvA80aRopqJfmKbTQYLpkbZamh2f10y9bm8IFVwRx
ONsBTkxJmeShG3+w/QywS/VQSllvK2LqdPQ6G1AD9mEzMmPw6orf5DgJDexL1K8+
VlsnYFa+BAMWGbHULXycTAVxV+MmeZS92+d0cTp55G0S7tgLPCiJg+byYTcqx2ow
PJIMbikGrfC0MNljWic2SiiC8yuxsO25dNdHWoDcSwh6BHEa2UYhqcKbIYI1hiIG
mi5VdMwSVmXbMzzmRm8QOAGy2ae6FvJDIKnqdHwlzbFfuFd01WSro98YIZWWGAw/
m82+yb2dQ5Z+1zq/mPJs/ESUUSB2LVabHLrTXV90iRZuv29KFLYTDX88TrNMC89y
bhA60XGr5cQhEAvi3Ob9EARKxexp5DXwMbIdC3Fwc9XfIQMduEyGneWe7AldNhwr
BhpnpulSbAvKCRjIG4nBvIN5b/HQg3oiLwsTaGyktUZli0sfNNdwliQdQ4ATdeXk
nGJ/4osg/7vSPNfTIvBmcFwrb0dDbmI5fWWLZrY9oonUt9ks8/A0tu4gn7Ym3smV
L0sPjBYq8faOH6FTH1h/rt2BVqwXDBbxvQFlj7z7Y9NGQ/lqrlyKKV9GoophdDOu
PjNeR/qntnQ=
=eFXw
-----END PGP SIGNATURE-----