Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1736 Multiple vulnerabilities have been identified in Juniper SRX Series devices 14 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper SRX Series devices Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-1278 CVE-2016-1276 Original Bulletin: http://kb.juniper.net/index?page=content&id=JSA10751 http://kb.juniper.net/index?page=content&id=JSA10753 Comment: This bulletin contains two (2) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALGs applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. (CVE-2016-1276) Security Advisories ID: JSA10751 Last Updated: 13 Jul 2016 Version: 4.0 Product Affected: This issue affects both standalone or cluster mode configurations with different denial of service permutations on High-End SRX-Series chassis. Problem: When High-End SRX-Series chassis have policies with one or more ALGs (application layer gateways) enabled, which are applied to in-transit traffic, this may trigger a number of failure conditions which could cause various types of denials of service to traffic in-transit. Continued in-transit traffic matching ALG rules can create a sustained denial of service. This issue affects both standalone or cluster mode configurations with different denial of service permutations. Standalone: In standalone HE chassis deployments, existing sessions will function normally, new session establishment due to high CP utilization may cause new sessions to not establish. Cluster: In cluster HE chassis deployments, the fab link between chassis may be unable to sustain communication causing the backup to go ineligible due to fab link failure. New sessions setups due to high CP utilization may be unable to be established. The primary chassis processing LACP communication may lose LACP links triggering failover conditions which could create sustained flip-flop failovers between each chassis, including possible line card reboots, leading to long term denials of service. This issue only affects devices when ALG's are enabled and traffic conditions match triggering any ALG. See KB25546 for the ALG list. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2016-1276. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D50, 12.1X47-D23, 12.1X47-D35, 12.3X48-D25, 15.1X49-D40 and subsequent releases. This issue is being tracked as PR 1150971 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: The following workarounds may be used to mitigate, reduce or resolve the risk of the problem from occuring: Disabling all ALG's will mitigate the issue until such time that an upgrade can be performed on the chassis. Breaking cluster nodes if present and operating standalone High End SRX-Series Service Gateways in parallel while also distributing traffic equally between both standalone devices may reduce the number of high CP utilization on each chassis and may mitigate the risk of line card reboots. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-07-13: Initial publication Related Links: KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-1276 Junos OS: On High-End SRX-Series, ALGs applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. KB16446: [SRX/J-series] Default status of ALGs CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - --- 2016-07 Security Bulletin: SRX Series: Upgrades using 'partition' option may allow unauthenticated root login (CVE-2016-1278) Security Advisories ID: JSA10753 Last Updated: 13 Jul 2016 Version: 1.0 Product Affected: This issue only affects SRX Series devices running Junos OS 12.1X46 Problem: Using the 'request system software' command with the 'partition' option on an SRX Series device upgrading to Junos OS 12.1X46 can leave the system in a state where root CLI login is allowed without a password due to the system reverting to a "safe mode" authentication triggered by the failed upgrade. Additionally, valid authentication credentials fail to work due to the same issue. Only root with no password will work. This issue only affects SRX Series devices upgraded to Junos OS 12.1X46 releases prior to those listed as Resolved below. No other platform or version of Junos OS is affected by this vulnerability, and no other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2016-1278. Solution: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D50 and all subsequent releases. This issue is being tracked as PRs 1118748 and 1153914 which are visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround: Avoid using the 'partition' option when upgrading an SRX Series device to Junos OS 12.1X46 prior to 12.1X46-D50. Note that the symptoms are immediately obvious after an affected upgrade and may be remediated by rebooting the device post-upgrade. Implementation: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-07-13: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-1278: Corrupted partial configuration after upgrade allows for unauthenticated root login CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV4ckV4x+lLeg9Ub1AQhtog//e0/y0z/Y/PgbURoW2AbqFjN7Pf2XXpON KZAIXYlU00Tuc6tjWlIHPMTMTOA2rYmtt9hAiPqrMXsqKr/ykV0tZDXVy7+NUJsV ySz9ICbxAt+rPRd29vVBH162sK0/JUu/G+U46xofTkNAVgWOQcOjx2TKwam5VAaz h6kgANmBzJpdNaJB+pDmPrXBclt9Iuo8Rx5s7idjaxm5KRAdLG9IGtqXlMZ+v3G3 HVxcoJFbNGs7sF/lG1mjKq+TYFTwU8khxBhOxDjjp3X+toAY1PxenXwaqv7+MRfP f+BlpISvGMZzudWQHBieXk87Z3Skmb02rcfABXqjghzJ/4tQuh3OSuqNlVwLsJMT GkxQ61H5tJ8QkVtTCRa8Q91faWfIqY4nyJEjRL7OQLSVl976so2jPuXO9B3G73S0 +VHuEee7kPRYguNYjKHa9UYJ0ZSnNKKiemV0xE/hZ9J8KV2zvU8GWYvR3icOZED2 92ncsHYWfI4fYXApZazM3M+sIDd2fEnV089TjRObzi5wylFP8eflbQrQbwa4GXek 1RKVyp+oyWE9uusMnJyJEIWb6TM9xscdooRg93cW+1cWSMX6pGbIEloAhlrhuwca HuhycISa37wxhT5VWVLzoD3Pp78TBXiQfjQj9Bb5emQCn/3kp7ykydQ/NfgLYSpW 0mteVnGWe84= =0xyy -----END PGP SIGNATURE-----