-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3084
             2018-10 Security Bulletin: Junos Space: Multiple
                vulnerabilities resolved in 18.2R1 release
                              11 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Junos Space Network Management Platform
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Access Privileged Data          -- Existing Account            
                   Create Arbitrary Files          -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-0046 CVE-2017-15906 CVE-2016-10012
                   CVE-2016-10011 CVE-2016-10010 CVE-2016-10009

Reference:         ASB-2018.0134
                   ESB-2018.2693
                   ESB-2018.0230
                   ESB-2017.0814

Original Bulletin: 
   http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10880

- --------------------------BEGIN INCLUDED TEXT--------------------

2018-10 Security Bulletin: Junos Space: Multiple vulnerabilities
resolved in 18.2R1 release

[JSA10880]

Product Affected:

Junos Space Network Management Platform prior to 18.2R1
Problem:

Multiple vulnerabilities have been resolved in the Junos Space
Network Management Platform 18.2R1 release.

Important security issues resolved as a result of these upgrades
include:

     CVE          CVSS                     Summary
               7.3 (       Untrusted search path vulnerability in
               CVSS:3.0/   ssh-agent.c in ssh-agent in OpenSSH
CVE-2016-10009 AV:N/AC:L/  before 7.4 allows remote attackers to
               PR:N/UI:N/  execute arbitrary local PKCS#11 modules
               S:U/C:L/I:L by leveraging control over a forwarded
               /A:L)       agent-socket.

               7.0 (       sshd in OpenSSH before 7.4, when
               CVSS:3.0/   privilege separation is not used,
CVE-2016-10010 AV:L/AC:H/  creates forwarded Unix-domain sockets
               PR:L/UI:N/  as root, which might allow local users
               S:U/C:H/I:H to gain privileges via unspecified
               /A:H)       vectors, related to serverloop.c.

               5.5 (       authfile.c in sshd in OpenSSH before
               CVSS:3.0/   7.4 does not properly consider the
               AV:L/AC:L/  effects of realloc on buffer contents,
CVE-2016-10011 PR:L/UI:N/  which might allow local users to obtain
               S:U/C:H/I:N sensitive private-key information by
               /A:N)       leveraging access to a
                           privilege-separated child process.
                           The shared memory manager (associated
                           with pre-authentication compression) in

               7.8 (       sshd in OpenSSH before 7.4 does not
               CVSS:3.0/   ensure that a bounds check is enforced
CVE-2016-10012 AV:L/AC:L/  by all compilers, which might allows
               PR:L/UI:N/  local users to gain privileges by
               S:U/C:H/I:H leveraging access to a sandboxed
               /A:H)       privilege-separation process, related
                           to the m_zback and m_zlib data
                           structures.

               5.3 (       The process_open function in
               CVSS:3.0/   sftp-server.c in OpenSSH before 7.6
CVE-2017-15906 AV:N/AC:L/  does not properly prevent write
               PR:N/UI:N/  operations in readonly mode, which
               S:U/C:N/I:L allows attackers to create zero-length
               /A:N)       files.

               8.8 (
               CVSS:3.0/
CVE-2018-0046  AV:N/AC:L/  Junos Space: Reflected Cross-site
               PR:N/UI:R/  Scripting vulnerability in OpenNMS
               S:U/C:H/I:H
               /A:H)

 
Solution:

The following software releases have been updated to resolve these
specific issues: Junos Space Network Management Platform 18.2R1,
and all subsequent releases.

These issues are being tracked as PR 1337619 and 1302769 which are
visible on the Customer Support website.
 

Workaround:

Use access lists or firewall filters to limit access to the device
only from trusted hosts and administrators.

  o CVE-2018-0046: There are no viable workarounds for this issue.

Implementation:

Software Releases, patches and updates are available at 
https://www.juniper.net/support/downloads/.
 
Modification History:

2018-10-10: Initial publication


Related Links:

  o KB16613: Overview of the Juniper Networks SIRT Quarterly
    Security Bulletin Publication Process
  o KB16765: In which releases are vulnerabilities fixed?
  o KB16446: Common Vulnerability Scoring System (CVSS) and
    Juniper's Security Advisories
  o Report a Security Vulnerability - How to Contact the Juniper
    Networks Security Incident Response Team
  o CVE-2016-10009 at cve.mitre.org
  o CVE-2016-10010 at cve.mitre.org
  o CVE-2016-10011 at cve.mitre.org
  o CVE-2016-10012 at cve.mitre.org
  o CVE-2017-15906 at cve.mitre.org
  o CVE-2018-0046 at cve.mitre.org

CVSS Score:

8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Risk Level:

High

Risk Assessment:

Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

Acknowledgements:

CVE-2018-0046: The Juniper SIRT would like to would like to
acknowledge and thank Marcel Bilal from IT-Dienstleistungszentrum
Berlin

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW76wIGaOgq3Tt24GAQjbixAAwlP1i7hrxyN6Simz1psP6CDyRo4Jn+Bh
eHP8YvbIotCZxhVXTRodQ3MhT/EXLPF/GcRyVe6PLzvrtxyzL3/HqeWhS6PeErjh
GzX6VjQuLx38QfusbKF1S/OV5aiCkzIrZ3fEG9KASeGPmHdr7jiTeFaz59cq4xSC
NDp7tZHuIXwbC25LAaLpKary8et09igIZmrkbFbFHFc61S9cuWptNpvx0rGpw9B7
9Xyf5q4TRkBJuEvj/V/5eMxk7iWHsKmdhET8+UKFsvwLg5cjIExNwdZ64VOggvdm
/Jc1XiR1iE2aus/tv+mD2F/qUYapqTkF0o+RSmXlvZOe7Zq7JepzgpJ2ik7GNIfa
rRUp2rrfGhUTRf8RJh+JnGucJc35qluZ7zQUsEyA4eBbx28ndENjbSiPZsxLAoPX
R9MNbMJe6QwGEj5SJkgyG9q2ynJsaoY79VAJOkb4MNo/Xg+4+x/bXG1F3ZtW/dC/
kghZbNV+STtmWpyVGQIUIbfCo5zPZGpoxDvxD0ZFvYbylbnKjQlr/2m/PWSixpmQ
5Uok4TYVMmakkTtXGeXBMFPWqqeaHo4hJlS4VmyLadpezQh/K/o9fs38pIXAGWav
ASI0Q33mRRYgRX7g4y8f2jfE+l5bCG0UW1KAnH3kVixDGc/gNUznh3LwlMjQcUXZ
2fyQ1IAV6Aw=
=u8pU
-----END PGP SIGNATURE-----