Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.2575
2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel
Local Privilege Escalation (CVE-2016-5195)
12 October 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper Multiple Products
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Root Compromise -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5195
Reference: ASB-2016.0103
ESB-2017.1513
ESB-2017.1232
ESB-2017.0970
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10807
- --------------------------BEGIN INCLUDED TEXT--------------------
2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local
Privilege Escalation (CVE-2016-5195)
PRODUCT AFFECTED:
This issue affects Junos OS 14.1R, 14.1X53, 14.2R, 15.1R, 15.1F, 15.1F,
15.1X49, 15.1X53, 16.1R. Affected platforms: vRR, vMX, SRX, EX, QFX, PTX, T.
This issue affects Network and Security Manager 2012.2. This issue affects
CTPView 7.1R, 7.2R1, 7.3R. This issue affected Sky Advanced Threat Prevention.
PROBLEM:
A race condition in Linux allows local users to gain privileges by leveraging
incorrect handling of a copy-on-write (COW) feature to write to a read-only
memory mapping. This issue is also known as "Dirty COW."
Note for Junos OS in a virtualized environment:
Junos OS as Host OS with virtualized Junos Guest OS's; and Junos OS
non-virtualized; or Junos OS as the Host OS is not vulnerable to this issue.
Customers using Junos OS as a Guest OS in a virtualized Linux-based
environment such as VMWare, Wind River Linux, CentOS, Red Hat Enterprise
Linux, etc. as the Host OS are advised that exploitation is not possible by
default as there is no valid attack vector to exploit the vulnerability that
Juniper ships with its products. The underlying Linux kernel in the Host OS
may have the vulnerability present in the software packages Juniper provides.
Vulnerability scanners may alert that the vulnerability is present if these
virtualization packages are used. Should customers make changes to these Host
OS Linux packages, customers may inadvertently expose this vulnerability to
potential exploitation by an attacker. If customers require a fully-fixed
version of Junos OS as Guest OS running on top of a Linux-Based Host OS, then
customers should move to a fixed version as listed in the Junos OS Solutions
section of the advisory. If Juniper does not provide the underlying package,
customers should consult their manufacturer for guidance.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability
on Juniper devices. However, public exploits are available for this
vulnerability.
This issue has been assigned CVE-2016-5195.
SOLUTION:
The following software releases have been updated to resolve this specific
issue:
Junos OS:
14.1X53-D46, 15.1X49-D80, 15.1X53-D49, 15.1X53-D61, 15.1X53-D470, 16.1R3-S6,
and all subsequent releases. Any products using VMWare ESXi images should
refer to VMWare's VMSA VMSA-2016-0018 advisory for guidance.
NSM:
2012.2R12 CentOS 6.5 Upgrade Package v3, and all subsequent releases.
CTP View:
7.1R4, and 7.3R2 and subsequent releases.
Sky ATP:
CVE-2016-5195 was fixed on Nov 17th 2016 for the Sky ATP cloud hosted service.
This issue is being tracked as PR 1227266 for Junos OS, 1226969 for CTPView,
1227267 for Sky ATP and 1227270 for NSM and are visible on the Customer
Support website.
WORKAROUND:
There are no viable workarounds for this issue.
It is good security practice to limit the exploitable attack surface of
critical infrastructure networking equipment. Use access lists or firewall
filters to limit access to the device from trusted, administrative networks or
hosts.
IMPLEMENTATION:
Security vulnerabilities in Junos are fixed in the next available Maintenance
Release of each supported Junos version. In some cases, a Maintenance Release
is not planned to be available in an appropriate time-frame. For these cases,
Service Releases are made available in order to be more timely. Security
Advisory and Security Notices will indicate which Maintenance and Service
Releases contain fixes for the issues described. Upon request to JTAC,
customers will be provided download instructions for a Service Release.
Although Juniper does not provide formal Release Note documentation for a
Service Release, a list of "PRs fixed" can be provided on request.
NSM Maintenance Releases are available at http://support.juniper.net from the
"Download Software" links. If a Maintenance Release is not adequate and access
to NSM patches is needed, open a customer support case. A JTAC engineer will
review your request and respond, ensuring that you will be provided with the
most appropriate Patch Release for your specific situation.
MODIFICATION HISTORY:
2017-10-11: Initial Publication.
RELATED LINKS:
KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
KB16765: In which releases are vulnerabilities fixed?
KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
Report a Vulnerability - How to Contact the Juniper Networks Security Incident
Response Team
CVE-2016-5195 at cve.mitre.org
https://dirtycow.ninja/
https://www.vmware.com/security/advisories/VMSA-2016-0018.html
https://access.redhat.com/security/vulnerabilities/DirtyCow
https://access.redhat.com/security/cve/cve-2016-5195
Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation
(CVE-2016-5195)
CVSS SCORE:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
RISK LEVEL:
High
RISK ASSESSMENT:
KB16765 - "In which releases are vulnerabilities fixed?" describes which
release vulnerabilities are fixed as per our End of Engineering and End of
Life support policies.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWd7+0ox+lLeg9Ub1AQgi0w//TPJjag1cZAZ8IEBovIOohvhO39dizTwn
swKS1d1vplUVZO+wpo2FUyOMZYJl5H1JxnSFqWmkZBnBWfJFb5YFnGb4Hs3EmWqG
244gqrBojj/smm7Nro2Gxvp3H+/kZ2P2dPX0MoKGgO0uBiPZAmcUiSbFU/KJjWuP
OoF+MGKSYDK7LyBY/jzcdLVUTmiV8dua6rZim78ZHltjCmyeaC+WLXMG5jq2nDQN
PhyhFV5p35a98Avpum8/rinHYyzw5Au2hE3uGLumQnR2QyeUcXdgQH+fKFNofWUl
KG+S0a98CJJFpJiEJa1B7BsTZabA1YfIyNM3BbD5M1WXPTyM+GOOufwMh0cxjgx/
fpCWzMEA4MynIGcOoBFzW3RATLxwFv+NwVQt1VONmx4H3T0acNp3B9BPJ5htwDtQ
MOfG06A1MdMAGOiYWfMj72ujYed4lQVtV64D70LRzT+tIGBmWmiMIYFSAtr2F4If
bHxvfRws2Co76fVnbA8ESEgHS1IDjrYkqBQ3HxOq0yqSBtrKdq/qZvKXhh67++V6
fyYeVxc4DwkeyLbi8XwTm178HPWBFTdiF+/zbncH+BnnATbI8cd9SDnoqODaWgT1
ow+VcV1pfc8us+/IrUcGDrL0g0X4ghiTBkRTuph3uSXIpz8D1bp/whxftodSAQhH
0fNF5BUgozw=
=U/0q
-----END PGP SIGNATURE-----