Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0129 Multiple vulnerabilities have been identified 11 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Juniper Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Increased Privileges -- Existing Account Root Compromise -- Console/Physical Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0009 CVE-2018-0008 CVE-2018-0007 CVE-2018-0006 CVE-2018-0005 CVE-2018-0004 CVE-2018-0003 CVE-2018-0002 CVE-2018-0001 CVE-2016-8858 Reference: ESB-2017.0477 ESB-2017.0208 ESB-2017.0172 ESB-2016.2946 ESB-2016.2583 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10828 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10829 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10830 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10831 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10832 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10833 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10834 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10835 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10836 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10837 Comment: This bulletin contains ten (10) Juniper Networks security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-01 Security Bulletin: Junos: Unauthenticated Remote Code Execution through J-Web interface (CVE-2018-0001) Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53. Problem: A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67; 12.3 versions prior to 12.3R12-S5; 12.3X48 versions prior to 12.3X48-D35; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1R3; 15.1X49 versions prior to 15.1X49-D30; 15.1X53 versions prior to 15.1X53-D70. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during an external security research. This issue has been assigned CVE-2018-0001. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D67, 12.3R12-S8*, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D44, 14.1X53-D50, 14.2R7-S7, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R7, 15.1X49-D100, 15.1X53-D70, 16.1R4-S6, 16.1R5, 16.2R2-S2, 16.2R3, 17.1R2-S5*, 17.1R3*, 17.2R2, 17.3R1, and all subsequent releases. *Pending release Note: While Junos OS 12.3R12-S5, 12.3X48-D35, 15.1F2+, 15.1R3, 15.1X49-D30, and all subsequent releases are not vulnerable, this issue has been proactively resolved. This issue is being tracked as PR 1269932 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Disable J-Web, or limit access to only trusted hosts. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0001: Junos: Unauthenticated Remote Code Execution through J-Web interface CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: Critical Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: Juniper SIRT would like to acknowledge and thank Cure53 for responsibly reporting this vulnerability. - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: MX series, SRX series: Junos OS: Denial of service vulnerability in Flowd on devices with ALG enabled. (CVE-2018-0002) Product Affected: This issue affects Junos OS 12.1X46, 12.3X48, 14.1, 14.2, 15.1, 15.1X49, 16.1, 16.2, 17.1. Affected platforms: MX series, SRX series. Problem: On SRX Series and MX Series devices with a Service PIC with any ALG enabled, a crafted TCP/IP response packet processed through the device results in memory corruption leading to a flowd daemon crash. Sustained crafted response packets lead to repeated crashes of the flowd daemon which results in an extended Denial of Service condition. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D60 on SRX series; 12.3X48 versions prior to 12.3X48-D35 on SRX series; 14.1 versions prior to 14.1R9 on MX series; 14.2 versions prior to 14.2R8 on MX series; 15.1X49 versions prior to 15.1X49-D60 on SRX series; 15.1 versions prior to 15.1R5-S8, 15.1F6-S9, 15.1R6-S4, 15.1R7 on MX series; 16.1 versions prior to 16.1R6 on MX series; 16.2 versions prior to 16.2R3 on MX series; 17.1 versions prior to 17.1R2-S4, 17.1R3 on MX series. No other Juniper Networks products or platforms are affected by this issue. This issue affects any enabled IPv4 ALG. This issue only affects IPv4. This issue does not affect IPv6. This issue affects unicast traffic only. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0002. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D60, 12.3X48-D35, 14.1R9, 14.2R8, 15.1X49-D60, 15.1R5-S8, 15.1R6-S4, 15.1F6-S9, 15.1R7, 16.1R6, 16.2R3, 17.1R2-S4, 17.1R3, 17.2R1 and all subsequent releases. This issue is being tracked as 1183181 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Disable IPv4 ALG's on affected devices. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0002: MX series, SRX series: Junos OS: Denial of service vulnerability in Flowd on devices with ALG enabled. CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos OS: Malicious LLDP crafted packet leads to privilege escalation, denial of service. (CVE-2018-0007) Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1. Problem: An unauthenticated network-based attacker able to send a maliciously crafted LLDP packet to the local segment, through a local segment broadcast, may be able to cause a Junos device to enter an improper boundary check condition allowing a memory corruption to occur, leading to a denial of service. Further crafted packets may be able to sustain the denial of service condition. Score: 6.5 MEDIUM (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Further, if the attacker is authenticated on the target device receiving and processing the malicious LLDP packet, while receiving the crafted packets, the attacker may be able to perform command or arbitrary code injection over the target device thereby elevating their permissions and privileges, and taking control of the device. Score: 7.8 HIGH (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) An unauthenticated network-based attacker able to send a maliciously crafted LLDP packet to one or more local segments, via LLDP proxy / tunneling agents or other LLDP through Layer 3 deployments, through one or more local segment broadcasts, may be able to cause multiple Junos devices to enter an improper boundary check condition allowing a memory corruption to occur, leading to multiple distributed Denials of Services. These Denials of Services attacks may have cascading Denials of Services to adjacent connected devices, impacts network devices, servers, workstations, etc. Further crafted packets may be able to sustain these Denials of Services conditions. Score 6.8 MEDIUM (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) Further, if the attacker is authenticated on one or more target devices receiving and processing these malicious LLDP packets, while receiving the crafted packets, the attacker may be able to perform command or arbitrary code injection over multiple target devices thereby elevating their permissions and privileges, and taking control multiple devices. Score: 7.8 HIGH (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D71; 12.3 versions prior to 12.3R12-S7; 12.3X48 versions prior to 12.3X48-D55; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D46, 14.1X53-D50, 14.1X53-D107; 14.2 versions prior to 14.2R7-S9, 14.2R8; 15.1 versions prior to 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R5-S7, 15.1R7; 15.1X49 versions prior to 15.1X49-D90; 15.1X53 versions prior to 15.1X53-D65; 16.1 versions prior to 16.1R4-S6, 16.1R5; 16.1X65 versions prior to 16.1X65-D45; 16.2 versions prior to 16.2R2; 17.1 versions prior to 17.1R2. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during an external security research. This issue has been assigned CVE-2018-0007. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D46, 14.1X53-D50, 14.2R7-S9, 14.2R8, 15.1F2-S17, 15.1F5-S8, 15.1F6-S8, 15.1R7, 15.1X49-D90, 15.1X53-D65, 16.1R4-S6, 16.1R5, 16.1X65-D45, 16.2R2, 17.1R2, 17.2R1, and all subsequent releases. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. This issue is being tracked as 1252823 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: No viable workarounds exist other than to implement IDP or other filters for the LLDP packet itself from reaching LLDP proxy agents, or devices receiving and processing LLDP packets. It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via all means to only trusted, administrative networks, hosts and users. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0007: Junos OS: Malicious LLDP crafted packet leads to privilege escalation, denial of service. CVSS Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: We would like to would like to acknowledge and thank, UK's National Cyber Security Centre (NCSC) - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos OS: A crafted MPLS packet may lead to a kernel crash (CVE-2018-0003) Product Affected: This issue affects Junos OS 12.1X46, 12.3R12, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75. Problem: A specially crafted MPLS packet received or processed by the system, on an interface configured with MPLS, will store information in the system memory. Subsequently, if this stored information is accessed, this may result in a kernel crash leading to a denial of service. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D71; 12.3R12 versions prior to 12.3R12-S7; 12.3X48 versions prior to 12.3X48-D55; 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D45, 14.1X53-D107; 14.2 versions prior to 14.2R7-S7, 14.2R8; 15.1 versions prior to 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R6-S3, 15.1R7; 15.1X49 versions prior to 15.1X49-D100; 15.1X53 versions prior to 15.1X53-D65, 15.1X53-D231; 16.1 versions prior to 16.1R3-S6, 16.1R4-S6, 16.1R5; 16.1X65 versions prior to 16.1X65-D45; 16.2 versions prior to 16.2R2-S1, 16.2R3; 17.1 versions prior to 17.1R2-S2, 17.1R3; 17.2 versions prior to 17.2R1-S3, 17.2R2; 17.2X75 versions prior to 17.2X75-D50. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0003. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3R12-S7, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D45, 14.1X53-D107, 14.2R7-S7, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R6-S3, 15.1R7, 15.1X49-D100, 15.1X53-D65, 15.1X53-D231, 16.1R3-S6, 16.1R4-S6, 16.1R5, 16.1R3-S6, 16.1R4-S6, 16.1R5, 16.1X65-D45, 16.2R2-S1, 16.2R3, 17.1R2-S2, 17.1R3, 17.2R1-S3, 17.2R2, 17.2X75-D50, 17.3R1, and all subsequent releases. This issue is being tracked as 1276786 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Disallow MPLS packets from reaching the device. Remove MPLS configuration stanzas from interface configurations that are at risk. No other viable workarounds exist for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0003: Junos OS: A crafted MPLS packet may lead to a kernel crash CVSS Score: 6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos OS: Kernel Denial of Service Vulnerability (CVE-2018-0004) Product Affected: This issue affects Junos OS 12.1X46, 12.3R, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53. Problem: A sustained sequence of different types of normal transit traffic can trigger a high CPU consumption denial of service condition in the Junos OS register and schedule software interrupt handler subsystem when a specific command is issued to the device. This affects one or more threads and conversely one or more running processes running on the system. Once this occurs, the high CPU event(s) affects either or both the forwarding and control plane. As a result of this condition the device can become inaccessible in either or both the control and forwarding plane and stops forwarding traffic until the device is rebooted. Score: 5.7 MEDIUM (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) For network designs utilizing layer 3 forwarding agents or other ARP through layer 3 technologies, the score is slightly higher. Score: 6.5 MEDIUM (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) The issue will reoccur after reboot upon receiving further transit traffic. If the following entry exists in the RE message logs then this may indicate the issue is present. This entry may or may not appear when this issue occurs. /kernel: Expensive timeout(9) function: Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D50; 12.3X48 versions prior to 12.3X48-D30; 12.3R versions prior to 12.3R12-S7; 14.1 versions prior to 14.1R8-S4, 14.1R9; 14.1X53 versions prior to 14.1X53-D30, 14.1X53-D34; 14.2 versions prior to 14.2R8; 15.1 versions prior to 15.1F6, 15.1R3; 15.1X49 versions prior to 15.1X49-D40; 15.1X53 versions prior to 15.1X53-D31, 15.1X53-D33, 15.1X53-D60. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0004. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D50, 12.3R12-S7, 12.3X48-D30, 14.1R8-S4, 14.1R9, 14.1X53-D30, 14.1X53-D34, 14.2R8, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D31, 15.1X53-D33, 15.1X53-D60, 16.1R1, and all subsequent releases. This issue is being tracked as 1145306 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: There are no viable workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0004: Junos OS: Kernel Denial of Service Vulnerability CVSS Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos OS: MAC move limit configured to drop traffic may forward traffic. (CVE-2018-0005) Product Affected: This issue affects Junos OS 14.1X53, 15.1, 15.1X53. Problem: QFX and EX Series switches configured to drop traffic when the MAC move limit is exceeded will forward traffic instead of dropping traffic. This can lead to denials of services or other unintended conditions. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D40; 15.1X53 versions prior to 15.1X53-D55; 15.1 versions prior to 15.1R7. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0005. Solution: The following software releases have been updated to resolve this specific issue: 14.1X53-D40, 15.1X53-D55, 15.1X53-D60, 16.1R1, and all subsequent releases. This issue is being tracked as 1105372 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: To decrease the risk of seeing the issue, increase the MAC move limit rate on the device, or to work around the issue until a fix can be taken, remove the MAC move limit from the devices running configuration. These actions may introduce other possible unintended consequences to customer environments and should be evaluated carefully on a case-by-case basis and are not complete mitigations. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0005: Junos OS: MAC move limit configured to drop traffic may forward traffic. CVSS Score: 7.4 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos: bbe-smgd process denial of service while processing VLAN authentication requests/rejects (CVE-2018-0006) Product Affected: This issue affects Junos OS 15.1, 16.1, 16.2, 17.1, 17.2. Problem: A high rate of VLAN authentication attempts sent from an adjacent host on the local broadcast domain can trigger high memory utilization by the BBE subscriber management daemon (bbe-smgd), and lead to a denial of service condition. The issue was caused by attempting to process an unbounded number of pending VLAN authentication requests, leading to excessive memory allocation. This issue only affects devices configured for DHCPv4/v6 over AE auto-sensed VLANs, utilized in Broadband Edge (BBE) deployments. Other configurations are unaffected by this issue. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1R6-S2, 15.1R7; 16.1 versions prior to 16.1R5-S1, 16.1R6; 16.2 versions prior to 16.2R2-S2, 16.2R3; 17.1 versions prior to 17.1R2-S5, 17.1R3; 17.2 versions prior to 17.2R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0006. Solution: The following software releases have been updated to resolve this specific issue: 15.1R6-S2, 15.1R7, 16.1R5-S1, 16.1R6, 16.2R2-S2, 16.2R3, 17.1R2-S5*, 17.1R3*, 17.2R2, 17.3R1, 17.4R1, and all subsequent releases. *pending release This issue is being tracked as PRs 1284213 and 1268129 which are visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Since this issue is specific to auto-sense or dynamic VLANs, utilizing a static VLAN model will mitigate this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0006: Junos OS: bbe-smgd process denial of service while processing VLAN authentication requests/rejects CVSS Score: 6.5 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos: commit script may allow unauthenticated root login upon reboot (CVE-2018-0008) Product Affected: This issue affects all products and platforms running Junos OS 12.1X46, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53, 16.1. Problem: An unauthenticated root login may allow upon reboot when a commit script is used. A commit script allows a device administrator to execute certain instructions during commit, which is configured under the [system scripts commit] stanza. Certain commit scripts that work without a problem during normal commit may cause unexpected behavior upon reboot which can leave the system in a state where root CLI login is allowed without a password due to the system reverting to a "safe mode" authentication state. Lastly, only logging in physically to the console port as root, with no password, will work. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D71 on SRX; 12.3X48 versions prior to 12.3X48-D55 on SRX; 14.1 versions prior to 14.1R9; 14.1X53 versions prior to 14.1X53-D40 on QFX, EX; 14.2 versions prior to 14.2R7-S9, 14.2R8; 15.1 versions prior to 15.1F5-S7, 15.1F6-S8, 15.1R5-S6, 15.1R6; 15.1X49 versions prior to 15.1X49-D110 on SRX; 15.1X53 versions prior to 15.1X53-D232 on QFX5200/5110; 15.1X53 versions prior to 15.1X53-D49, 15.1X53-D470 on NFX; 15.1X53 versions prior to 15.1X53-D65 on QFX10K; 16.1 versions prior to 16.1R2. No other Juniper Networks products or platforms are affected by this issue. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0008. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 14.1R9, 14.1X53-D40, 14.2R7-S9, 14.2R8, 15.1F5-S7, 15.1F6-S8, 15.1R5-S6, 15.1R6, 15.1X49-D110, 15.1X53-D49, 15.1X53-D470, 15.1X53-D232, 15.1X53-D65, 16.1R2, 16.2R1 and all subsequent releases. This issue is being tracked as 1179601 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: While there is no published workaround exists for this issue, customer can verify whether their commit script contains the affected configuration by rebooting the device. Please contact JTAC if after the reboot the device enters a state where root CLI login is allowed without a password. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0008: Junos OS: commit script may allow unauthenticated root login upon reboot CVSS Score: 6.2 (CVSS:3.0/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- SRX Series: Firewall bypass vulnerability when UUID with leading zeros is configured. (CVE-2018-0009) Product Affected: This issue affects Junos OS 12.1X46, 12.3X48, 15.1X49. Affected platforms: SRX series. Problem: On Juniper Networks SRX series devices, firewall rules configured to match custom application UUIDs starting with zeros can match all TCP traffic. Due to this issue, traffic that should have been blocked by other rules is permitted to flow through the device resulting in a firewall bypass condition. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D71 on SRX series; 12.3X48 versions prior to 12.3X48-D55 on SRX series; 15.1X49 versions prior to 15.1X49-D100 on SRX series. This issue is only applicable to SRX series devices with a configuration containing UUIDs that start with one or more zeros. For example: set applications application <application-name> uuid 01234567-1234-1234-1234-123456789abc Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen in a production network. This issue has been assigned CVE-2018-0009. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D71, 12.3X48-D55, 15.1X49-D100, 17.3R1, and all subsequent releases. This issue is being tracked as 1261522 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Do not use UUIDs starting with zeros in the configuration. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2018-0009: SRX Series: Firewall bypass vulnerability when UUID with leading zeros is configured. CVSS Score: 5.4 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - -------------------------------------------------------------------------------- 2018-01 Security Bulletin: Junos OS: OpenSSH Memory exhaustion due to unregistered KEXINIT handler (CVE-2016-8858) Product Affected: This issue affects Junos OS 12.3X48, 15.1, 15.1X49, 15.1X53, 16.1, 16.2. Problem: Remote network based attackers can cause the OpenSSH server on Junos OS to allocate an excessive amount of memory. This can potentially create a denial of service condition for the device. The issue only occurs if SSH is enabled. An attacker must be able to first establish a connection to the SSH service on the device. This vulnerability can not be triggered from hosts or networks that can not reach the SSH port on the device. Affected releases are Juniper Networks Junos OS: 12.3X48 versions 12.3X48-D55 and above but prior to 12.3X48-D65; 15.1R5-S4, 15.1R5-S5; 15.1R6; 15.1X49 versions 15.1X49-D100 and above, but prior to 15.1X49-D121; 15.1X53-D57; 16.1 versions prior to 16.1R4-S6, 16.1R5; 16.2 versions prior to 16.2R2. The issue only affects devices where SSH is enabled. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during an external security research. This issue has been assigned CVE-2016-8858. Solution: The following software releases have been updated to resolve this specific issue: 12.3X48-D65, 15.1R5-S6, 15.1R7, 15.1X49-D121, 16.1R4-S6, 16.1R5, 16.2R2, 17.1R1, 17.2R1, and all subsequent releases. This issue is being tracked as 1228873 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Use access lists or firewall filters to limit access to the device, so that it can only be accessed from trusted hosts. Restrict access to only highly trusted administrators. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-01-10: Initial publication Related Links: KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process KB16765: In which releases are vulnerabilities fixed? KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories Report a Vulnerability - How to Contact the Juniper Networks Security Incident Response Team CVE-2016-8858: OpenSSH Memory exhaustion due to unregistered KEXINIT handler CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Risk Level: Medium Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWlbkZ4x+lLeg9Ub1AQiYcxAAoBGtQhwnp87kUQPOPxMA0AZj9C8i/7wR 4BzZNul1hYKrCID8gMdtFJ0l+OrcrpYRVcGeSHnlnuN1Q79NscJmiltuo+Ldt5di bTjb3gZ6zkmOXYdE/zsf4chp4fc9Lo02Ric02HHwsnO2OuIDpp+3Sw5P9I1mOOWD Eu9Jg1ExOn7mTDysOp/hVo86TxO1+LgSuWj+MJeIslKIuBDXeq1JGOXuqfaNZr2r eyqmI4pCvlYzS9a8b82598GaJvaeG0Xo+ey/OSxggVtV1MPU3bmRpZ3uUeMHv2i9 gr2MjhJHEgxOy9akv6MHJ7/SyS7Wa+dK6adinw7J3ol+WSFXM7uXB4s1pMpNk7db WxIZm1KoZShBC8Veoq+SljFpp/jhxkm9/rjDErnjv9dpOGgF/pLmAqK9xPxaXuqT 6fi034HeOnzM1BLglzMhSorGDrg9v6ltdiH6frN1nlzmaSaltZ9oYGuSe00d65dG c8VUcfGy77kJPMnYsNmTAUqfwgZ94aZ0FMpCwSh55Z7Y+nvgvTQIN8PBi0hJ56J+ zDEAWgPzoFkrHFzjaOUfsRUhZXn5dyZF9k2lmFfxmfg9sWi47zHJvkxyQejuGlN7 JTOn1AoNRxHRwYrkBlpJjxuIkkyotvDPD5lbd0o/F325oVIuLv/ByC/IsjNxGWCY 0nJ1m7/9yvI= =fwsw -----END PGP SIGNATURE-----