Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2014 Multiple vulnerabilities patched in Junos OS 12 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0034 CVE-2018-0032 CVE-2018-0031 CVE-2018-0030 CVE-2018-0029 CVE-2018-0027 CVE-2018-0026 CVE-2018-0025 CVE-2018-0024 CVE-2015-7236 Reference: ASB-2016.0043 ESB-2018.0154 ESB-2015.2479 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10857 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10858 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10859 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10860 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10861 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10863 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10864 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10865 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10866 https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10868 Comment: This bulletin contains ten (10) Juniper security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-07 Security Bulletin: Junos OS: A privilege escalation vulnerability exists where authenticated users with shell access can become root (CVE-2018-0024) [JSA10857] PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1X49. Affected platforms: EX Series, QFX3500, QFX3600, QFX5100, SRX Series. PROBLEM: An Improper Privilege Management vulnerability in a shell session of Juniper Networks Junos OS allows an authenticated unprivileged attacker to gain full control of the system. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D45 on SRX Series; 12.3X48 versions prior to 12.3X48-D20 on SRX Series; 12.3 versions prior to 12.3R11 on EX Series; 14.1X53 versions prior to 14.1X53-D30 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1X49 versions prior to 15.1X49-D20 on SRX Series. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0024. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D45, 12.3X48-D20, 12.3R11, 14.1X53-D30, 15.1X49-D20 and all subsequent releases. This issue is being tracked as PR 1004217 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: Disallow unprivileged authenticated users access to Junos shell. Limit shell access to only trusted administrators. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0024 Junos OS: A privilege escalation vulnerability exists where authenticated users with shell access can become root CVSS SCORE: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) RISK LEVEL: High - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: SRX Series: Credentials exposed when using HTTP and HTTPS Firewall Pass-through User Authentication (CVE-2018-0025) [JSA10858] PRODUCT AFFECTED: Junos OS PROBLEM: When an SRX Series device is configured to use HTTP/HTTPS pass-through authentication services, a client sending authentication credentials in the initial HTTP/HTTPS session is at risk that these credentials may be captured during follow-on HTTP/HTTPS requests by a malicious actor through a man-in-the-middle attack or by authentic servers subverted by malicious actors. FTP, and Telnet pass-through authentication services are not affected. Affected releases are Juniper Networks SRX Series: 12.1X46 versions prior to 12.1X46-D67 on SRX Series; 12.3X48 versions prior to 12.3X48-D25 on SRX Series; 15.1X49 versions prior to 15.1X49-D35 on SRX Series. For further information on configuration stanza please refer to the URLs below. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0025. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS:12.1X46-D67, 12.3X48-D25, 15.1X49-D35, 17.3R1 all subsequent releases. This issue is being tracked as PR 1122278 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: 1. Discontinue use of HTTP/HTTPS Pass-through Firewall User Authentication 2. Use web-redirect when using Pass-through Firewall User Authentication Example: set security policies from-zone * to-zone * policy * then permit firewall-authentication pass-through web-redirect For additional configuration guidance, customers should contact JTAC Support. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0025 Junos OS: SRX Series: Credentials exposed when using HTTP and HTTPS Firewall Pass-through User Authentication (CVE-2018-0025) Understanding Pass-Through Authentication Example: Configuring Pass-Through Authentication Example: Configuring HTTPS Traffic to Trigger Pass-Through Authentication CVSS SCORE: 6.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N) RISK LEVEL: Medium - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: Stateless IP firewall filter rules stop working as expected after reboot or upgrade (CVE-2018-0026) [JSA10859] PRODUCT AFFECTED: This issue affects Junos OS 15.1, 15.1X8. PROBLEM: After Junos OS device reboot or upgrade, the stateless firewall filter configuration may not take effect. This issue can be verified by running the command: user@re0> show interfaces <interface_name> extensive | match filters" CAM destination filters: 0, CAM source filters: 0 Note: when the issue occurs, it does not show the applied firewall filter. The correct output should show the applied firewall filter, for example: user@re0> show interfaces <interface_name> extensive | match filters" CAM destination filters: 0, CAM source filters: 0 Input Filters: FIREWAL_FILTER_NAME-<interface_name> This issue affects firewall filters for every address family. Affected releases are Juniper Networks Junos OS: 15.1R4, 15.1R5, 15.1R6 and SRs based on these MRs. 15.1X8 versions prior to 15.1X8.3. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0026. SOLUTION: The following software releases have been updated to resolve this specific issue: 15.1R7, 15.1X8.3 and all subsequent releases. This issue is being tracked as PR 1161832 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: There are no known workarounds for this issue. However, once the issue has occurred, it can be restored by performing "commit full" (note: "commit full" is a potentially disruptive command). MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0026: Junos OS: Stateless IP firewall filter rules stop working as expected after reboot or upgrade CVSS SCORE: 4.7 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) RISK LEVEL: Medium - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: FreeBSD-SA-15:24.rpcbind : rpcbind(8) remote denial of service [JSA10860] PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 15.1X54, 16.1. PROBLEM: A use-after-free vulnerability exists in rpcbind of Juniper Networks Junos OS allows an attacker to cause a Denial of Service against rpcbind. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D67 on SRX Series; 12.3R12 versions prior to 12.3R12-S10 on EX Series; 12.3X48 versions prior to 12.3X48-D55 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 14.1X53 versions prior to 14.1X53-D130 on QFabric System; 15.1 versions prior to 15.1F5-S5, 15.1F6-S1, 15.1F7, 15.1R4-S5, 15.1R5; 15.1X49 versions prior to 15.1X49-D110 on SRX Series; 15.1X53 versions prior to 15.1X53-D47, 15.1X53-D470 on NFX150, NFX250; 15.1X53 versions prior to 15.1X53-D233 on QFX5110, QFX5200; 15.1X53 versions prior to 15.1X53-D60 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300, EX3400; 15.1X54 versions prior to 15.1X54-D67 on ACX Series; 16.1 versions prior to 16.1R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during an external security research. This issue has been assigned CVE-2015-7236. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D67, 12.3R12-S10, 12.3X48-D55, 14.1X53-D47, 14.1X53-D130*, 15.1F5-S5, 15.1F6-S1, 15.1F7, 15.1R4-S5, 15.1R5, 15.1X49-D110, 15.1X53-D47, 15.1X53-D59, 15.1X53-D60, 15.1X53-D233, 15.1X53-D470, 16.1R2, 16.2R1 and all subsequent releases. *Pending Publication This issue is being tracked as PR 1188676 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: Disable rpcbind services where not needed.* To further reduce the risk of exploitation customer may: Enable loopback firewall filters on the device to drop rpcbind from untrusted networks. Filter out rpcbind traffic from reaching the device by using off-system services and devices. There are no other viable workarounds for this issue. *Customers are advised to proceed with caution when disabling rpcbind. Customers intending to disable rpcbind should contact JTAC for supporting configuration guidance to determine if this workaround option is possible. Disabling rpcbind without review may cause a disruption to service. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2015-7236 Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. CVSS SCORE: 5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: Medium - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: Receipt of malformed RSVP packet may lead to RPD denial of service (CVE-2018-0027) [JSA10861] PRODUCT AFFECTED: This issue affects Junos OS 16.1 PROBLEM: Receipt of a crafted or malformed RSVP PATH message may cause the routing protocol daemon (RPD) to hang or crash. When RPD is unavailable, routing updates cannot be processed which can lead to an extended network outage. If RSVP is not enabled on an interface, then the issue cannot be triggered via that interface. This issue only affects Juniper Networks Junos OS 16.1 versions prior to 16.1R3. This issue does not affect Junos releases prior to 16.1R1. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0027. SOLUTION: The following software releases have been updated to resolve this specific issue: 16.1R3, 16.2R1, and all subsequent releases. This issue is being tracked as PR 1214350 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: Only enable RSVP on specific trusted interfaces as required for MPLS. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0027:Junos OS: Receipt of malformed RSVP packet may lead to RPD denial of service CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: Kernel crash (vmcore) during broadcast storm after enabling 'monitor traffic interface fxp0' (CVE-2018-0029) [JSA10863] PRODUCT AFFECTED: This issue affects Junos OS 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4. PROBLEM: While experiencing a broadcast storm, placing the fxp0 interface into promiscuous mode via the 'monitor traffic interface fxp0' can cause the system to crash and restart (vmcore). This issue only affects Junos OS 15.1 and later releases, and affects both single core and multi-core REs. Releases prior to Junos OS 15.1 are unaffected by this vulnerability Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S11, 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D67 on QFX10K; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX; 16.1 versions prior to 16.1R3-S8, 16.1R5-S4, 16.1R6-S1, 16.1R7; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D90, 17.2X75-D110; 17.3 versions prior to 17.3R1-S4, 17.3R2; 17.4 versions prior to 17.4R1-S3, 17.4R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0029. SOLUTION: The following software releases have been updated to resolve this specific issue: 15.1F6-S11*, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R5-S4, 16.1R6-S1, 16.1R7, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D90, 17.3R1-S4, 17.3R2, 17.4R1-S3, 17.4R2, 18.1R1, 18.1X75-D10, and all subsequent releases. *Future availability This issue is being tracked as PR 1322294 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: Avoid executing the 'monitor traffic interface fxp0' command while attempting to troubleshoot broadcast storms. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/ MODIFICATION HISTORY: 2018-07-11: Initial Publication CVE-2018-0029: Kernel crash (vmcore) during broadcast storm after enabling 'monitor traffic interface fxp0' CVSS SCORE: 5.7 (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) RISK LEVEL: Medium - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) and PTX1K: Line card may crash upon receipt of specific MPLS packet (CVE-2018-0030) [JSA10864] PRODUCT AFFECTED: This issue affects Junos OS platforms with MPC7/8/9 or PTX-FPC3 (FPC-P1, FPC-P2) installed and PTX1K 15.1, 15.1F, 16.1, 16.1X65, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4. PROBLEM: Receipt of a specific MPLS packet may cause MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) line cards or PTX1K to crash and restart. By continuously sending specific MPLS packets, an attacker can repeatedly crash the line cards or PTX1K causing a sustained Denial of Service. Affected releases are Juniper Networks Junos OS with MPC7/8/9 or PTX-FPC3 (FPC-P1, FPC-P2) installed and PTX1K: 15.1F versions prior to 15.1F6-S10; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.1X65 versions prior to 16.1X65-D46; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S4, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D70, 17.2X75-D90; 17.3 versions prior to 17.3R1-S4, 17.3R2, 17.4 versions prior to 17.4R1-S2, 17.4R2. Refer to KB25385 for more information about PFE line cards. This issue only affects device with MPLS configured. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0030. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3X48-D70, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D471, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.1X65-D46, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S4, 17.2R2-S4, 17.2R3, 17.2X75-D70, 17.3R1-S4, 17.3R2, 17.4R1-S2, 17.4R2, 18.1R1, 18.1X75-D10 and all subsequent releases. This fix has been proactively committed into other releases that might not support these specific line card. This issue is being tracked as PR 1323069 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: No available workaround exists for this issue. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0030: Junos OS: Junos OS: MPC7/8/9, PTX-FPC3 (FPC-P1, FPC-P2) and PTX1K: Line card may crash upon receipt of specific MPLS packet A mapping between chipset type and PFE module CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: Receipt of specially crafted UDP packets over MPLS may bypass stateless IP firewall rules (CVE-2018-0031) [JSA10865] PRODUCT AFFECTED: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.2X75, 17.3, 17.4, 18.1, 18.2X75. PROBLEM: Receipt of specially crafted UDP/IP packets over MPLS may be able to bypass a stateless firewall filter. The crafted UDP packets must be encapsulated and meet a very specific packet format to be classified in a way that bypasses IP firewall filter rules. The packets themselves do not cause a service interruption (e.g. RPD crash), but receipt of a high rate of UDP packets may be able to contribute to a denial of service attack. This issue only affects processing of transit UDP/IP packets over MPLS, received on an interface with MPLS enabled. TCP packet processing and non-MPLS encapsulated UDP packet processing are unaffected by this issue. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D76; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D66, 12.3X48-D70; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400; 15.1X53 versions prior to 15.1X53-D67 on QFX10K; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX; 16.1 versions prior to 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.2 versions prior to 16.2R1-S6, 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D100, 17.2X75-D110; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.1 versions prior to 18.1R2; 18.2X75 versions prior to 18.2X75-D5. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was discovered during an external security research. This issue has been assigned CVE-2018-0031. SOLUTION: The following software releases have been updated to resolve this specific issue: 12.1X46-D76, 12.3X48-D66, 12.3X48-D70, 14.1X53-D47, 15.1F6-S10, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S8, 16.1R4-S9, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R1-S6, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D100, 17.2X75-D110, 17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R2, 18.2R1, 18.2X75-D5, and all subsequent releases. This issue is being tracked as PR 1326402 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL) WORKAROUND: There are no viable workarounds for this issue. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/ MODIFICATION HISTORY: 2018-07-11: Initial Publication CVE-2018-0031: Receipt of specially crafted UDP packets over MPLS may bypass stateless IP firewall rules CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) RISK LEVEL: Medium ACKNOWLEDGEMENTS: The Juniper SIRT would like to would like to acknowledge and thank Internet2 and The Indiana University GlobalNOC for responsibly disclosing this vulnerability. - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: RPD crash when receiving a crafted BGP UPDATE (CVE-2018-0032) [JSA10866] PRODUCT AFFECTED: This issue affects Junos OS 16.1X65, 17.2X75, 17.3, 17.4 PROBLEM: The receipt of a crafted BGP UPDATE can lead to a routing process daemon (RPD) crash and restart. Repeated receipt of the same crafted BGP UPDATE can result in an extended denial of service condition for the device. This issue only affects the specific versions of Junos OS listed within this advisory. Earlier releases are unaffected by this vulnerability. This crafted BGP UPDATE does not propagate to other BGP peers. Affected releases are Juniper Networks Junos OS: 16.1X65 versions prior to 16.1X65-D47; 17.2X75 versions prior to 17.2X75-D91, 17.2X75-D110; 17.3 versions prior to 17.3R1-S4, 17.3R2; 17.4 versions prior to 17.4R1-S3, 17.4R2. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was found during internal product security testing or research. This issue has been assigned CVE-2018-0032. SOLUTION: The following software releases have been updated to resolve this specific issue: 16.1X65-D47, 17.2X75-D110, 17.2X75-D91, 17.3R1-S4, 17.3R2, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5, and all subsequent releases. This issue is being tracked as PR 1327708 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: There are no known workarounds for this issue. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/ MODIFICATION HISTORY: 2018-07-11: Initial Publication CVE-2018-0032: RPD crash when receiving a crafted BGP UPDATE CVSS SCORE: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) RISK LEVEL: High - -------------------------------------------------------------------------------- 2018-07 Security Bulletin: Junos OS: A malicious crafted IPv6 DHCP packet may cause the JDHCPD daemon to core (CVE-2018-0034) [JSA10868] PRODUCT AFFECTED: This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4. PROBLEM: A Denial of Service vulnerability exists in the Juniper Networks Junos OS JDHCPD daemon which allows an attacker to core the JDHCPD daemon by sending a crafted IPv6 packet to the system. This issue is limited to systems which receives IPv6 DHCP packets on a system configured for DHCP processing using the JDHCPD daemon. This issue does not affect IPv4 DHCP packet processing. Affected releases are Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S10 on EX Series; 12.3X48 versions prior to 12.3X48-D70 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 14.1X53 versions prior to 14.1X53-D130 on QFabric; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D233 on QFX5110, QFX5200; 15.1X53 versions prior to 15.1X53-D471 on NFX 150, NFX 250; 16.1 versions prior to 16.1R3-S9, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7; 16.2 versions prior to 16.2R2-S5, 16.2R3; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2. For applicable CLI configuration assistance on your device please refer to the KB and Feature Explorer in the URL section further in this advisory. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue was seen during production usage. This issue has been assigned CVE-2018-0034. SOLUTION: The following software releases have been updated to resolve this specific issue: Junos OS 12.3R12-S10, 12.3X48-D70, 14.1X53-D130*, 14.1X53-D47, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D67, 16.1R3-S9, 16.1R4-S8, 16.1R5-S4, 16.1R6-S3, 16.1R7, 16.2R2-S5, 16.2R3, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, and all subsequent releases. *Pending Publication This issue is being tracked as PR 1334230 which is visible on the Customer Support website. Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). WORKAROUND: There are no viable workarounds for this issue. IMPLEMENTATION: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. MODIFICATION HISTORY: 2018-07-11: Initial Publication. CVE-2018-0034: Junos OS: A malicious crafted IPv6 DHCP packet may cause the JDHCPD daemon to core (CVE-2018-0034) CVSS SCORE: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) RISK LEVEL: Medium - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW0aikWaOgq3Tt24GAQisHg/7BS0dT4BPXrx4BJOsDlMh7D7548peUJ2W dtvNVIh9gT6ghdryQNKw5d8Hm12wONNPrq7RxvdLS+k5fase9kVbaULK6PW6906u KoZ+6wp4oRFoDQ5wUucVTeUj4do6MC12G1KfrZLSMQw6QsZHVzP+G9E6Jl+vWbFT Q7AazDhBLp8XUI0i89QAm/ed0TZuBWf049qURJGrWMCIS/wEQbuO5ENpWv06SJvw iFvIkBeFN+uLjSLfvyha2gZ3Tm3Qo7HUYlQay7QcthcaleBInHmhPR6YGjhMaELv Tdh0bFM5xBnkob9gRsDcG2JoWLIA4Zts93U0Xj/rm4elPlWBSgbkZVNM9QfZxNOm c7j97wsa+cDXiKFNJM8Abj6uuHv7mvxhR7C8vi2OClpGw+UcnZ4O3Tb5QnYrElbG vqRVf/9rAe1vlwEIzAXrUeA8y40PykpwpZomp3efQcXrhsCuowMct/iKtpYiIhEL cgp2p//2GfhDRwQ9tX2YkGQ5Zx7uivFew8blMBdJi7hou3USGxdC7vzPK1aY9gbR g7ZrmKMJgnm/l2KZwkMUN7ewDDj3P7KojcGVJvjLlRdmzcCOPY9GCFsgjuHIA6IX ygnU0QeYXYRlVm9gk6VNZmf58dnJzCAkhDR1oGCW66GbuO3AZBCEtdVX7/p6w+L4 fFqeaPMxZ5A= =LahS -----END PGP SIGNATURE-----