Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2577 2017-10 Security Bulletin: SRX Series 12 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper SRX Series Publisher: Juniper Networks Operating System: Juniper Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-10610 CVE-2017-10608 CVE-2017-10606 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10811 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10813 Comment: This bulletin contains three (3) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series TPM Firmware (CVE-2017-10606) PRODUCT AFFECTED: This issue affects Juniper Networks Junos OS 15.1X49 prior to TPM firmware version 4.43 on SRX300 Series. PROBLEM: Version 4.40 of the TPM (Trusted Platform Module) firmware has a weakness in generating cryptographic keys that may allow an attacker to decrypt sensitive information in SRX300 Series products. The TPM is used in the SRX300 Series to encrypt sensitive configuration data. While other products also ship with a TPM, no other products or platforms are affected by this vulnerability. Customers can confirm the version of TPM firmware via the 'show security tpm status' command: user@junos> show security tpm status TPM Status: Enabled: yes Owned: no Master Binding Key: not-created Master Encryption Key: not-configured TPM Family: 1.2 TPM Firmware revision: 4.40 This issue was discovered by an external security researcher. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-10606. SOLUTION: TPM firmware version 4.43 resolves this specific issue. Updating TPM firmware requires one of the following software releases: Junos OS 15.1X49-D111*, 17.4R1, or any subsequent release. Note: Junos OS 17.3 is unaffected by this issue since TPM functionality is not supported in this release. The TPM firmware is then updated via a special "jtpm" package available for download along with the updated Junos OS package. After upgrading to a fixed release above, execute the following command to update the TPM firmware: user@junos> request system software add jtpm-15.1X49-D111-signed.tgz When the TPM firmware is updated, the log message "TPM firmware updated successfully." will appear on the screen. After updating the TPM firmware, reboot the system using the request system reboot command. Once system reboots, verify TPM status using the show security tpm status command. The TPM Firmware revision should show as 4.43 instead of 4.40. This issue is being tracked as PR 1293114 and is visible on the Customer Support website. *Due to unforeseen circumstances, Junos OS 15.1X49-D111 will not be available until October 18, 2017. WORKAROUND: Until the TPM firmware can be updated, use access lists or firewall filters to limit access to the router via CLI only from trusted hosts, and limit access to the Junos shell only to trusted administrators. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. 2017-10-11: Release of 15.1X49-D111 delayed until 2017-10-18. Workaround updated. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-10606 at cve.mitre.org CVSS SCORE: 4.4 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ============================================================ 2017-10 Security Bulletin: SRX Series: SRX Series using IPv6 Sun/MS-RPC ALGs may experience flowd crash on processing packets. (CVE-2017-10608) PRODUCT AFFECTED: This issue can affect all SRX Series services gateways. PROBLEM: Any SRX Series device with one or more ALGs enabled may experience a flowd crash when traffic is processed by the Sun/MS-RPC ALGs. This vulnerability in the Sun/MS-RPC ALG services component of Junos OS allows an attacker to cause a repeated denial of service against the target. Repeated traffic in a cluster may cause repeated flip-flop failure operations or full failure to the flowd daemon halting traffic on all nodes. Only IPv6 traffic is affected by this issue. IPv4 traffic is unaffected. This issues is not seen with to-host traffic. This issue has no relation with HA services themselves, only the ALG service. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55 on SRX; 12.1X47 prior to 12.1X47-D45 on SRX; 12.3X48 prior to 12.3X48-D32, 12.3X48-D35 on SRX; 15.1X49 prior to 15.1X49-D60 on SRX. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however the issue has been seen in a production network. This issue has been assigned CVE-2017-10608. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D55, 12.3X48-D32, 12.3X48-D35, 15.1X49-D60, 17.3R1 and all subsequent releases. This issue is being tracked as PR 1189443 and is visible on the Customer Support website. WORKAROUND: Disable Sun/MS-RPC ALGs on the SRX Series device. Disable IPv6 on the device. example: deactivate interfaces xe-0/0/0 unit 0 family inet6 address 2000::254/64 Filtering incoming IPv6, or Sun/MS-RPC from the device is also an option. example: set interfaces xe-0/0/0 unit 0 family inet6 filter input TEST ==> apply to interface set firewall family inet6 filter TEST term t1 from destination-port 135 set firewall family inet6 filter TEST term t1 then discard IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-10608: SRX series: SRX Series using IPv6 Sun/MS-RPC ALGs may experience flowd crash on processing packets. CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." =============================================================== 2017-10 Security Bulletin: SRX Series: Embedded ICMP may cause the flowd process to crash (CVE-2017-10610) PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX Series. PROBLEM: On SRX Series devices, a crafted ICMP packet embedded within a NAT64 IPv6 to IPv4 tunnel may cause the flowd process to crash. Repeated crashes of the flowd process constitutes an extended denial of service condition for the SRX Series device. This issue only occurs if NAT64 is configured. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, the issue has been seen in a production network. This issue has been assigned CVE-2017-10610. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 15.1X49-D100, 17.3R1, and all subsequent releases. This issue is being tracked as PR 1270680 and is visible on the Customer Support website. WORKAROUND: No viable workaround exists for this issue. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team Configuring Stateful NAT64 CVE-2017-10610 at cve.mitre.org CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWd7/LYx+lLeg9Ub1AQj2lA/8Dv4tfcdBozgu3JSBzWneuqFdE/4bUAc2 QHEiQcljexgeTn6yaqAG00aEgsH56D5qc7LNboO7lg1yxSDmOgtpiCUZ8FW53i96 tBrHVvlTYB1amCka6FlVIQWS5UbtbUCxSR2qO6iS5U0ExOYNYm6WcY/Hu+jr6h6P xK2U43QjaC3KbdWubdOGPXWvc7Ui2KKNMwdjxV87403U8HKMRxvGAOYg4KWVZr4B iUMdRszAj16cpsGisP4/mkT2AMRlIDFxxAUS1s44EKlcQXAGM5yfcpkICZ0b8mui 7pr1m/0mIfnUerD6wHRF4kRlEaTyphMTEc3Dxj55utn3LuZ5ZuTciErBjxy0tnbc xxstdVGzmSLbpjiGcNYlqeJ1gibGlSjvv5DPVNSj0PG/ZxClhDoMvsro/JOYnFfz YWIb1xJEr1cbon2u0cIEHnKIn2Qd77KSmwqVsQSg/q069bUhWcDKYtbzM9lDXzrQ 444whP3lprAD+44vdfygv5GOK3u0T2BGRZTI+VNg10Ve0kzxW6FS8nXMRMGaHDCd oAcJLNumU/OKxB2cdNaqZJtd1GSomL7+2yj8vlS1aeARA3xxdYZ0gv2GoEZr6XjC qc5eETUPhX0Yf6c0hsTspHoDw5gkqt2ig7KwhwUsIx+WpTM5kbEk/I9wXQqLptHp upUDezgOYoI= =qAZS -----END PGP SIGNATURE-----