Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2631 2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.1R1 release 19 October 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos Space Publisher: Juniper Networks Operating System: Juniper Impact/Access: Root Compromise -- Existing Account Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-1000379 CVE-2017-1000371 CVE-2017-1000370 CVE-2017-1000369 CVE-2017-1000367 CVE-2017-1000366 CVE-2017-1000365 CVE-2017-1000364 CVE-2017-10624 CVE-2017-10623 CVE-2017-10612 CVE-2017-7494 CVE-2016-2519 CVE-2016-2518 CVE-2016-2517 CVE-2016-2516 CVE-2016-1551 CVE-2016-1550 CVE-2016-1549 CVE-2016-1548 CVE-2016-1547 Reference: ESB-2017.2422 ESB-2017.1831 ESB-2017.1681 ESB-2017.1468 ASB-2016.0074 ASB-2016.0046 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10826&actp=RSS - --------------------------BEGIN INCLUDED TEXT-------------------- 2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.1R1 release Categories: Junos Space SIRT Advisory Article ID: JSA10826 Last Updated: 17 Oct 2017 Version: 2.0 PRODUCT AFFECTED: This issue affects Juniper Networks Junos Space versions prior to 17.1R1. PROBLEM: Multiple vulnerabilities have been resolved in Junos Space 17.1R1 release. Important security issues resolved as a result of these upgrades include, CVE CVSS base score Summary CVE-2017-7494 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing amalicious client to upload a shared library to a writable share, and then cause the server to load and execute it. CVE-2017-1000365 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23. CVE-2017-1000366 7.4 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. CVE-2017-1000371 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems. CVE-2017-1000379 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected. CVE-2016-2516 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive. CVE-2017-1000367 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution. CVE-2016-1548 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the NTP client will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. CVE-2017-1000364 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). CVE-2016-1547 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) An off-path attacker can cause a preemptible client association to be demobilized in NTP by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. CVE-2016-1550 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) An exploitable vulnerability exists in the message authentication functionality of libntp in NTP. An attacker can send a series of crafted messages to attempt to recover the message digest key. CVE-2016-2518 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The MATCH_ASSOC function in NTP allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. CVE-2016-2517 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) NTP allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression. CVE-2016-2519 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) ntpd allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value. CVE-2016-1549 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd and modify a victim's clock. CVE-2016-1551 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match thatreference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker. CVE-2017-1000369 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b 790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. Apart of the above issues, Junos Space 17.1R1 also resolves the following issues found during internal product testing: CVE CVSS v2 base score Summary CVE-2017-10612 8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) A persistent site scripting vulnerability in Juniper Networks Junos Space allows users who can change certain configuration to implant malicious Javascript or HTML which may be used to steal information or perform actions as other Junos Space users or administrators. (PR 1231289) CVE-2017-10623 7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) Lack of authentication and authorization of cluster messages in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or disrupt Junos Space cluster operations between two nodes. (PR 983910) CVE-2017-10624 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Insufficient verification of node certificates in Juniper Networks Junos Space may allow aman-in-the-middle type of attacker to make unauthorized modifications of Space database or add nodes. (PR 1176959) Juniper SIRT is not aware of any malicious exploitation of this vulnerability. SOLUTION: The following software releases have been updated to resolve these issues: 17.1R1 and all subsequent releases. These issues are being tracked as PRs 1290443, 1231289, 983910, 1176959, 1214448 and are visible on the Customer Support website. WORKAROUND: There are no viable workarounds for this issue. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts. IMPLEMENTATION: Junos Space Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/space. MODIFICATION HISTORY: 2017-10-11: Initial Publication. 2017-10-17: Fix summary descriptions of CVE-2017-10623, CVE-2017-10624. RELATED LINKS: KB16613: Overview of the Juniper Networks SIRT Monthly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVSS SCORE: 8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) RISK LEVEL: High RISK ASSESSMENT: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWegCn4x+lLeg9Ub1AQjPeQ//Q7cZYRe/IpHQzdV4WePF7eTfG1P7Pbhx zkRWD94mdh/vkQYi6VnrespoyVsyCnJBkSJe5fZebRoiRBRUG+1T3c6ETCXlAQ0G 0TNVXaSWV3QDef09RHZjdnI0jTtBgjHjopKtV73HdZz6Io18Gypy4cIZI+dxa3+L zAnO59hOpIOo4COSaKYcxJakg0chh7d/ePhyaJnxBVUSXV9olOx8L53jPBF7uMrN +baTf3fjRJyv0XJ7IsgbnN6whcTVkvCO37YAXW5LMB11VFZ7kKhbQ7tZpKIuDXFp MOvUVK4XtWAxmAgG+dbj5Nhms6/cR8DTB09v8C3MsIWtivjL+NjKQcBgZZHmh/C3 JJXfYwHkhK+fZl2COk4M3ZgufGBgcpJF4r3yApQ0AEH6UJ8jNDEZJQq54hhJV1Q6 ZuzHotV8V4EJ37ZRjTBfKaseknY1ofpr/ddz5v3agewwpIOioidtmZMsY4Vt2DAI R2dWco8qSJF71ryOio0m2V2zmxA0QQFixjey61x6EpF/6rVk0+MbmPQggWvWqU6D QqubHRk+fTuF7VKkJ/Uiw4iDuEHaPpG8wCVzl0b6Q7ZuKJJNKSzwdr31cytchk8j EQUrdyKRBUiUBQxzZx/aDW+MasT9sjUAHDyw5VLFuAwNNY/qMKYIvz2YfycdKCzy PnbVas0107w= =HXtw -----END PGP SIGNATURE-----