Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2578 2017-10 Security Bulletin: Junos: 12 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-10621 CVE-2017-10614 CVE-2017-10613 CVE-2017-10611 CVE-2017-10607 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10810 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10814 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10816 http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10817 Comment: This bulletin contains four (4) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2017-10 Security Bulletin: Junos: rpd core due to receipt of specially crafted BGP packet (CVE-2017-10607) PRODUCT AFFECTED: This issue only affects Juniper Networks Junos OS 16.1 prior to 16.1R2. PROBLEM: Junos OS 16.1R1, and services releases based off of 16.1R1, are vulnerable to the receipt of a crafted BGP Protocol Data Unit (PDU) sent directly to the router, which can cause the RPD routing process to crash and restart. Unlike BGP UPDATEs, which are transitive in nature, this issue can only be triggered by a packet sent directly to the IP address of the router. Repeated crashes of the rpd daemon can result in an extended denial of service condition. This issue only affects devices running Junos OS 16.1R1 and services releases based off of 16.1R1 (e.g. 16.1R1-S1, 16.1R1-S2, 16.1R1-S3). No prior versions of Junos OS are affected by this vulnerability, and this issue was resolved in Junos OS 16.2 prior to 16.2R1. No other Juniper Networks products or platforms are affected by this issue. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2017-10607. SOLUTION: The following software releases have been updated to resolve this specific issue: 16.1R2, 16.2R1, and all subsequent releases. This issue is being tracked as PRs 1161558 and 1214828 which are visible on the Customer Support website. WORKAROUND: There are no known workaround for this issue. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. When possible, use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-10607 at cve.mitre.org CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ============================================================= 2017-10 Security Bulletin: Junos: EX Series PFE and MX MPC7E/8E/9E PFE crash when fetching interface stats with 'extended-statistics' enabled (CVE-2017-10611) [JSA10814] Show Article Properties PRODUCT AFFECTED: This issue affects Junos OS on MX Series, EX2200, EX3300, XRE200. PROBLEM: If extended statistics are enabled via 'set chassis extended-statistics', when executing any operation that fetches interface statistics, including but not limited to SNMP GET requests, the pfem process or the FPC may crash and restart. Repeated crashes of PFE processing can result in an extended denial of service condition. This issue only affects the following platforms: EX2200, EX3300, XRE200 MX Series routers with MPC7E/8E/9E PFEs installed. and only if 'extended-statistics' are enabled under the [edit chassis] configuration. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, the issue has been seen in a production network. This issue has been assigned CVE-2017-10611. SOLUTION: The following software releases have been updated to resolve this specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S3, 15.1R6, 16.1R4-S5, 16.1R5, 16.1X65-D45, 16.2R2-S1, 16.2R3, 17.1R2-S2, 17.1R3, 17.2R1-S3, 17.2R2, 17.2X75-D50, 17.3R1-S1, 17.3R2, 17.4R1, and all subsequent releases. This issue is being tracked as PR 1247026 and is visible on the Customer Support website. WORKAROUND: Disable chassis extended-statistics. Use access lists or firewall filters to limit access to the router via SNMP or CLI only from trusted hosts and administrators. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-10611 at cve.mitre.org CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." =========================================================================== 2017-10 Security Bulletin: Junos OS: A kernel hang may occur due to a specific loopback filter action command (CVE-2017-10613) PRODUCT AFFECTED: Junos OS PROBLEM: A vulnerability in a specific loopback filter action command, processed in a specific logical order of operation, in a running configuration of Juniper Networks Junos OS, allows an attacker with CLI access and the ability to initiate remote sessions to the loopback interface with the defined action, to hang the kernel. Affected releases are Juniper Networks Junos OS 12.1X46 prior to 12.1X46-D55; 12.3X48 prior to 12.3X48-D35; 14.1 prior to 14.1R8-S4, 14.1R9; 14.1X53 prior to 14.1X53-D40; 14.2 prior to 14.2R4-S9, 14.2R7-S8, 14.2R8; 15.1 prior to 15.1F5-S3, 15.1F6, 15.1R4; 15.1X49 prior to 15.1X49-D60; 15.1X53 prior to 15.1X53-D47; 16.1 prior to 16.1R2. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability, however, the issue has been seen in a production network. This issue has been assigned CVE-2017-10613. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D55, 12.3X48-D35, 14.1R8-S4, 14.1R9*, 14.1X53-D40*, 14.2R4-S9, 14.2R7-S8, 14.2R8*, 15.1F5-S3, 15.1F6, 15.1R4, 15.1X49-D60, 15.1X53-D47, 16.1R2, 16.2R1, and all subsequent releases. This issue is being tracked as PR 1167423 and is visible on the Customer Support website. *Fix Pending Publication WORKAROUND: Discontinue the use of allowing remote sessions to be issued from the local device to reach loopback address(es). It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts. IMPLEMENTATION: How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2017-10613: Junos OS: A kernel hang may occur due to a specific loopback filter action command CVSS SCORE: 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." ================================================================== 2017-10 Security Bulletin: Junos OS: Denial of service vulnerabilities in telnetd (CVE-2017-10614, CVE-2017-10621) PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.2. PROBLEM: Two vulnerabilities in telnetd service on Juniper Networks Junos OS may allow a remote unauthenticated attacker to cause a denial of service through memory and/or CPU consumption. These issues were found during internal product security testing. No other Juniper Networks products or platforms are affected by this issue. These issues have been assigned CVE-2017-10614 and CVE-2017-10621. This issue only affects systems with telnet enabled, which is disabled by default. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. SOLUTION: CVE-2017-10614 is resolved in: 12.1X46-D45, 12.3X48-D30, 14.1R4-S9, 14.1R8, 14.2R6, 15.1F5, 15.1R3, 15.1X49-D40, 15.1X53-D232, 15.1X53-D47, 16.1R1, and all subsequent releases. CVE-2017-10614 is being tracked as PR 1108483 and is visible on the Customer Support website. CVE-2017-10621 is resolved in: 12.1X46-D71, 12.3X48-D50, 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F2-S16, 15.1F5-S7, 15.1F6-S6, 15.1R5-S2, 15.1R6, 15.1X49-D100, 15.1X49-D90, 15.1X53-D47, 16.1R4-S1, 16.1R5, 16.2R1-S3, 16.2R2, 17.1R1, and all subsequent releases. CVE-2017-10614 is being tracked as PR 1159841 and is visible on the Customer Support website. WORKAROUND: Disabling the telnet service will completely mitigate these issues. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via telnet from trusted, administrative networks or hosts. IMPLEMENTATION: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. MODIFICATION HISTORY: 2017-10-11: Initial Publication. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) RISK LEVEL: Medium RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWd8BIYx+lLeg9Ub1AQiqxRAAqpEUJ4KdtklTUIQFi1AU6ehiCImWhJi/ dQatc6LB8mpCAuXD7skrAuOGNtAZqb8P1rUl6NDwJm8ql4vIohsXab7DGzqvAXvB waOOX6EA6d2as+I3ZmI20jGV/P27tkQw4ctt7Ekk+nFsPKAF/FbFJl8ib/6fl0o9 uOEY9vI6brMNtZFy6gDbvFnoBFsVjA9RjQm+6K350dTeZGlCY+JjAL/oMIY1/r8M YAkpCxX06OsGpHXHRmhSOv8pI7TRQ07QLA3WDb3cc8zwv4xICbjqsONWFpn+zLsF OkG4lS1FzoBLKN55bGdSqJvCZtH2F8zKRVh1WeyvPg9fOFzyJGPMycDf12/2z9nR xoJim9vhzuTxg1YcAo1gGSnyIcYVrLfhu5FbIF7Sy0UGEpH7jqLoiQxZIAS7ZiN2 Odz95Z0wxqz3X5GhzRVfHEDM3G/+qvI1643Ts5uIhFPZmporRa20IbFqhsG+ED/E /n7erq0esNfQ4Bh6ZXSGwT2J6HhuNJlB++xgyWMbVFoNtI22qBe1hhShtL9HupIG p/sNXX16y8YmhpZAeR3ki60gah12vDqyjrvtzVqUZ/CWSk46VbVGPCRNKecJyZYM 1VMGqBWJQbaNsokq90GaEYhFha3h3yUp8KuKJ5sBqR0PS1rCNyiKnZUHpUxXlpzq ComPsHZ9hEc= =zDxa -----END PGP SIGNATURE-----