-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.1736
Multiple vulnerabilities have been identified in Juniper SRX Series devices
                               14 July 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Juniper SRX Series devices
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-1278 CVE-2016-1276 

Original Bulletin: 
   http://kb.juniper.net/index?page=content&id=JSA10751
   http://kb.juniper.net/index?page=content&id=JSA10753

Comment: This bulletin contains two (2) Juniper Networks security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALGs applied to
in-transit traffic may trigger high CP (central point) utilization leading to
denial of services. (CVE-2016-1276)

Security Advisories ID: JSA10751

Last Updated: 13 Jul 2016

Version: 4.0

Product Affected:

This issue affects both standalone or cluster mode configurations with 
different denial of service permutations on High-End SRX-Series chassis.

Problem:

When High-End SRX-Series chassis have policies with one or more ALGs 
(application layer gateways) enabled, which are applied to in-transit traffic,
this may trigger a number of failure conditions which could cause various 
types of denials of service to traffic in-transit.

Continued in-transit traffic matching ALG rules can create a sustained denial
of service.

This issue affects both standalone or cluster mode configurations with 
different denial of service permutations.

Standalone:

In standalone HE chassis deployments, existing sessions will function 
normally, new session establishment due to high CP utilization may cause new 
sessions to not establish.

Cluster:

In cluster HE chassis deployments, the fab link between chassis may be unable
to sustain communication causing the backup to go ineligible due to fab link 
failure.

New sessions setups due to high CP utilization may be unable to be 
established.

The primary chassis processing LACP communication may lose LACP links 
triggering failover conditions which could create sustained flip-flop 
failovers between each chassis, including possible line card reboots, leading
to long term denials of service.

This issue only affects devices when ALG's are enabled and traffic conditions
match triggering any ALG. See KB25546 for the ALG list.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2016-1276.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D50, 12.1X47-D23, 12.1X47-D35, 12.3X48-D25, 
15.1X49-D40 and subsequent releases.

This issue is being tracked as PR 1150971 and is visible on the Customer 
Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

The following workarounds may be used to mitigate, reduce or resolve the risk
of the problem from occuring:

Disabling all ALG's will mitigate the issue until such time that an upgrade 
can be performed on the chassis.

Breaking cluster nodes if present and operating standalone High End SRX-Series
Service Gateways in parallel while also distributing traffic equally between 
both standalone devices may reduce the number of high CP utilization on each 
chassis and may mitigate the risk of line card reboots.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-07-13: Initial publication

Related Links:

KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2016-1276 Junos OS: On High-End SRX-Series, ALGs applied to in-transit 
traffic may trigger high CP (central point) utilization leading to denial of 
services.

KB16446: [SRX/J-series] Default status of ALGs

CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Risk Level: High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- ---

2016-07 Security Bulletin: SRX Series: Upgrades using 'partition' option may 
allow unauthenticated root login (CVE-2016-1278)

Security Advisories ID: JSA10753

Last Updated: 13 Jul 2016

Version: 1.0

Product Affected:

This issue only affects SRX Series devices running Junos OS 12.1X46

Problem:

Using the 'request system software' command with the 'partition' option on an
SRX Series device upgrading to Junos OS 12.1X46 can leave the system in a 
state where root CLI login is allowed without a password due to the system 
reverting to a "safe mode" authentication triggered by the failed upgrade. 
Additionally, valid authentication credentials fail to work due to the same 
issue. Only root with no password will work.

This issue only affects SRX Series devices upgraded to Junos OS 12.1X46 
releases prior to those listed as Resolved below. No other platform or version
of Junos OS is affected by this vulnerability, and no other Juniper Networks 
products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2016-1278.

Solution:

The following software releases have been updated to resolve this specific 
issue: Junos OS 12.1X46-D50 and all subsequent releases.

This issue is being tracked as PRs 1118748 and 1153914 which are visible on 
the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which 
release vulnerabilities are fixed as per our End of Engineering and End of 
Life support policies.

Workaround:

Avoid using the 'partition' option when upgrading an SRX Series device to 
Junos OS 12.1X46 prior to 12.1X46-D50.

Note that the symptoms are immediately obvious after an affected upgrade and 
may be remediated by rebooting the device post-upgrade.

Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security 
Advisory and Security Notices will indicate which Maintenance and Service 
Releases contain fixes for the issues described. Upon request to JTAC, 
customers will be provided download instructions for a Service Release. 
Although Juniper does not provide formal Release Note documentation for a 
Service Release, a list of "PRs fixed" can be provided on request.

Modification History:

2016-07-13: Initial publication

Related Links:

KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin 
Publication Process

KB16765: In which releases are vulnerabilities fixed?

KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories

Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team

CVE-2016-1278: Corrupted partial configuration after upgrade allows for 
unauthenticated root login

CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Risk Level: High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB 16446 
"Common Vulnerability Scoring System (CVSS) and Juniper's Security 
Advisories."

Acknowledgements:

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBV4ckV4x+lLeg9Ub1AQhtog//e0/y0z/Y/PgbURoW2AbqFjN7Pf2XXpON
KZAIXYlU00Tuc6tjWlIHPMTMTOA2rYmtt9hAiPqrMXsqKr/ykV0tZDXVy7+NUJsV
ySz9ICbxAt+rPRd29vVBH162sK0/JUu/G+U46xofTkNAVgWOQcOjx2TKwam5VAaz
h6kgANmBzJpdNaJB+pDmPrXBclt9Iuo8Rx5s7idjaxm5KRAdLG9IGtqXlMZ+v3G3
HVxcoJFbNGs7sF/lG1mjKq+TYFTwU8khxBhOxDjjp3X+toAY1PxenXwaqv7+MRfP
f+BlpISvGMZzudWQHBieXk87Z3Skmb02rcfABXqjghzJ/4tQuh3OSuqNlVwLsJMT
GkxQ61H5tJ8QkVtTCRa8Q91faWfIqY4nyJEjRL7OQLSVl976so2jPuXO9B3G73S0
+VHuEee7kPRYguNYjKHa9UYJ0ZSnNKKiemV0xE/hZ9J8KV2zvU8GWYvR3icOZED2
92ncsHYWfI4fYXApZazM3M+sIDd2fEnV089TjRObzi5wylFP8eflbQrQbwa4GXek
1RKVyp+oyWE9uusMnJyJEIWb6TM9xscdooRg93cW+1cWSMX6pGbIEloAhlrhuwca
HuhycISa37wxhT5VWVLzoD3Pp78TBXiQfjQj9Bb5emQCn/3kp7ykydQ/NfgLYSpW
0mteVnGWe84=
=0xyy
-----END PGP SIGNATURE-----