Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0091
2017-01 Security Bulletin: Junos Space: Multiple
vulnerabilities resolved in 16.1R1 release.
12 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Junos Space
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-2311 CVE-2017-2310 CVE-2017-2309
CVE-2017-2308 CVE-2017-2307 CVE-2017-2306
CVE-2017-2305 CVE-2016-6662 CVE-2016-6515
CVE-2016-5573 CVE-2016-5387 CVE-2016-5195
CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
CVE-2016-3705 CVE-2016-3627 CVE-2016-1907
CVE-2016-1840 CVE-2016-1839 CVE-2016-1838
CVE-2016-1837 CVE-2016-1836 CVE-2016-1835
CVE-2016-1834 CVE-2016-1833 CVE-2016-1762
CVE-2015-8325 CVE-2015-8104 CVE-2015-5366
CVE-2015-5364 CVE-2015-5307
Reference: ASB-2016.0104
ASB-2016.0103
ASB-2016.0095
ASB-2016.0089
ASB-2016.0074
ESB-2015.2043
ESB-2015.1942
Original Bulletin:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10770
- --------------------------BEGIN INCLUDED TEXT--------------------
2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved
in 16.1R1 release.
Security Advisories ID: JSA10770
Last Updated: 11 Jan 2017
Version: 1.0
Product Affected:
These issues can affect any product or platform running Junos Space prior
to 16.1R1
Problem:
Multiple vulnerabilities have been resolved in Junos Space 16.1R1 release.
Third party software packages that have been upgraded to resolve
vulnerabilities in prior releases include:
OpenSSH has been upgraded to 7.3p1.
MySQL server has been upgraded to 5.6.34.
Apache HTTP server has been upgraded to httpd-2.2.31.
OpenJDK has been upgraded to 1.7.0.121.
LibXML has been upgraded to libxml2-2.7.6-21.
OpenSSL has been upgraded to 1.0.1t.
Linux Kernel has been upgraded to kernel-2.6.32-642.
Important security issues resolved as a result of these upgrades include,
CVE CVSS base score Summary
CVE-2016-1762 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-4448 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Format string vulnerability in libxml2 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVE-2015-5364 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.
CVE-2016-6515 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
CVE-2015-8325 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
CVE-2016-1833 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The htmlCurrentChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1834 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the xmlStrncat function in libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVE-2016-1835 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 allows remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1836 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 allows remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1837 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 allow remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1838 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The xmlPArserPrintFileContextInternal function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1839 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The xmlDictAddString function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1840 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVE-2016-5573 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Vulnerability in Java related to Hotspot.
CVE-2016-4449 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P) XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
CVE-2016-5387 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
CVE-2015-5366 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.
CVE-2016-1907 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
CVE-2016-3627 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
CVE-2016-3705 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVE-2016-4447 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The xmlParseElementDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
CVE-2015-5307 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) The KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVE-2015-8104 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C) The KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
CVE-2016-6662 0.0 (AV:N/AC:L/Au:N/C:N/I:N/A:N) Vulnerability in MySQL allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: Since this issue does not allow a Junos Space local user to increase privileges, the effective CVSS base score is zero.
CVE-2016-5195 0.0 (AV:L/AC:L/Au:N/C:N/I:N/A:N) Race condition in mm/gup.c in the Linux kernel allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW." NOTE: Since this issue does not allow a Junos Space local user to increase privileges, the effective CVSS base score is zero.
Please refer to JSA10759 for a list of OpenSSL vulnerabilities resolved
as a result of upgrading it to 1.0.1t.
Apart of the above issues, Junos Space 16.1R1 also resolves the following
issues found during internal product testing:
CVE CVSS base score Summary
CVE-2017-2305 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.
CVE-2017-2306 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device.
CVE-2017-2307 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A reflected cross site scripting vulnerability in Junos Space administrative interface may allow remote attackers to steal sensitive information or perform certain administrative actions on Junos Space.
CVE-2017-2308 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) An XML External Entity Injection vulnerability in Junos Space may allow an authenticated user to read arbitrary files on the device.
CVE-2017-2309 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) When certificate based authentication is enabled for the Junos Space cluster, some restricted web services are accessible over the network. This represents an information leak risk.
CVE-2017-2310 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) A firewall bypass vulnerability in the host based firewall on a Junos Space device may permit certain crafted packets, representing a network integrity risk.
CVE-2017-2311 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) An unauthenticated remote attacker with network access to Junos space device can easily create a denial of service condition.
In addition to the above, Junos Space release 16.1R1 contains many security
improvements and security feature enhancements.
Juniper SIRT is not aware of any malicious exploitation of these
vulnerabilities.
Solution:
These issues have been resolved in Junos Space 16.1R1 and all subsequent
releases.
These issues are being tracked as PRs 1082037, 1107640, 1136574, 1201531,
1206933, 1214374, 1214763, 1215142, 1226553, 1232770, 1235133, 882239,
975417, 975435, 975452, 975458, 975482, 975495, 983913, 983914, 983940,
and 983966, and are visible on the Customer Support website.
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End
of Life support policies.
Workaround:
Limit access to Junos Space from only trusted networks.
Use administrative jump boxes with no internet access and employ
anti-scripting techniques.
In addition to the recommendations listed above, it is good security
practice to limit the exploitable attack surface of critical
infrastructure networking equipment. Use access lists or firewall
filters to limit access to the devices administrative interfaces only
from trusted, administrative networks or hosts.
Implementation:
How to obtain fixed software:
Junos Space Maintenance Releases are available at http://support.juniper.net
from the "Download Software" links. If a Maintenance Release is not adequate
and access to Junos Space patches is needed, open a customer support case. A
JTAC engineer will review your request and respond, ensuring that you will be
provided with the most appropriate Patch Release for your specific situation.
Modification History:
2017-01-11: Initial publication
Related Links:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security
Bulletin Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security
Incident Response Team
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446
"Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWHcF/Ix+lLeg9Ub1AQj1dxAApFU7iDcWNQwayBrgpxqUOYFjukIASkkV
ZlD2hBqhVwOyOH1zmGghKnhljG6sUxlnLNnkZyaBN2yUCFIL2rxDzbr0KrSEhZrz
WDtanN/yM+D8TYMlAe4OzAPWVGfUS4mQTCao5L3roW9T0qrBF1XAEBED+HPzg5e1
oT9vtlJbTPd3Vtb+v/UyxXlWpAar04QOy7cH6GLeAkDlmTa/6MENFZdV+5+NAX3y
6JOubtUySX7hgtxmeow+3bRG2Zip4+pyDiMzLhjoAce0hIOLjOVOxobBuQ7SY7j6
RLHgfV9A+/LHrPIcZbjp6HHFLFeKCgHo1Tsm/2NKySSq2hMDWPOBPxE9AyyT9pUj
HABTkskx2XQjpZ7dzSqQLxCN+KHgTqafNZ2kPdBprLp1F3a1SKSAWv+P0QBJ8CKu
4BLPCBb7ylsuefAgm3hvzlcO9gGRdm4NpEMlmoTsUebBhXfNP4JNyQjcmHq6N+tU
boKi8SKYjjZqfvG0AWt/FBxcUanomCHI7F1yAJpQbpg+JQ8m82WfRYTfc3x2WWmS
BCpDGh63ByXNk0U13pcGc47SFXPIM6iBwQH6DpWAAd1r5lYXKSIRQ60qt+dOwmnJ
tjuNxzdmeoL9Q+njy1ols0fkW1iBRtKVlPZcGBWXXO3qu+ifaopivKfNgFSzGm8r
ONE6tHnxdVs=
=y/eK
-----END PGP SIGNATURE-----