Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3084 2018-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 18.2R1 release 11 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos Space Network Management Platform Publisher: Juniper Networks Operating System: Juniper Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Root Compromise -- Existing Account Access Privileged Data -- Existing Account Create Arbitrary Files -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-0046 CVE-2017-15906 CVE-2016-10012 CVE-2016-10011 CVE-2016-10010 CVE-2016-10009 Reference: ASB-2018.0134 ESB-2018.2693 ESB-2018.0230 ESB-2017.0814 Original Bulletin: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10880 - --------------------------BEGIN INCLUDED TEXT-------------------- 2018-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 18.2R1 release [JSA10880] Product Affected: Junos Space Network Management Platform prior to 18.2R1 Problem: Multiple vulnerabilities have been resolved in the Junos Space Network Management Platform 18.2R1 release. Important security issues resolved as a result of these upgrades include: CVE CVSS Summary 7.3 ( Untrusted search path vulnerability in CVSS:3.0/ ssh-agent.c in ssh-agent in OpenSSH CVE-2016-10009 AV:N/AC:L/ before 7.4 allows remote attackers to PR:N/UI:N/ execute arbitrary local PKCS#11 modules S:U/C:L/I:L by leveraging control over a forwarded /A:L) agent-socket. 7.0 ( sshd in OpenSSH before 7.4, when CVSS:3.0/ privilege separation is not used, CVE-2016-10010 AV:L/AC:H/ creates forwarded Unix-domain sockets PR:L/UI:N/ as root, which might allow local users S:U/C:H/I:H to gain privileges via unspecified /A:H) vectors, related to serverloop.c. 5.5 ( authfile.c in sshd in OpenSSH before CVSS:3.0/ 7.4 does not properly consider the AV:L/AC:L/ effects of realloc on buffer contents, CVE-2016-10011 PR:L/UI:N/ which might allow local users to obtain S:U/C:H/I:N sensitive private-key information by /A:N) leveraging access to a privilege-separated child process. The shared memory manager (associated with pre-authentication compression) in 7.8 ( sshd in OpenSSH before 7.4 does not CVSS:3.0/ ensure that a bounds check is enforced CVE-2016-10012 AV:L/AC:L/ by all compilers, which might allows PR:L/UI:N/ local users to gain privileges by S:U/C:H/I:H leveraging access to a sandboxed /A:H) privilege-separation process, related to the m_zback and m_zlib data structures. 5.3 ( The process_open function in CVSS:3.0/ sftp-server.c in OpenSSH before 7.6 CVE-2017-15906 AV:N/AC:L/ does not properly prevent write PR:N/UI:N/ operations in readonly mode, which S:U/C:N/I:L allows attackers to create zero-length /A:N) files. 8.8 ( CVSS:3.0/ CVE-2018-0046 AV:N/AC:L/ Junos Space: Reflected Cross-site PR:N/UI:R/ Scripting vulnerability in OpenNMS S:U/C:H/I:H /A:H) Solution: The following software releases have been updated to resolve these specific issues: Junos Space Network Management Platform 18.2R1, and all subsequent releases. These issues are being tracked as PR 1337619 and 1302769 which are visible on the Customer Support website. Workaround: Use access lists or firewall filters to limit access to the device only from trusted hosts and administrators. o CVE-2018-0046: There are no viable workarounds for this issue. Implementation: Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/. Modification History: 2018-10-10: Initial publication Related Links: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o CVE-2016-10009 at cve.mitre.org o CVE-2016-10010 at cve.mitre.org o CVE-2016-10011 at cve.mitre.org o CVE-2016-10012 at cve.mitre.org o CVE-2017-15906 at cve.mitre.org o CVE-2018-0046 at cve.mitre.org CVSS Score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Risk Level: High Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: CVE-2018-0046: The Juniper SIRT would like to would like to acknowledge and thank Marcel Bilal from IT-Dienstleistungszentrum Berlin - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW76wIGaOgq3Tt24GAQjbixAAwlP1i7hrxyN6Simz1psP6CDyRo4Jn+Bh eHP8YvbIotCZxhVXTRodQ3MhT/EXLPF/GcRyVe6PLzvrtxyzL3/HqeWhS6PeErjh GzX6VjQuLx38QfusbKF1S/OV5aiCkzIrZ3fEG9KASeGPmHdr7jiTeFaz59cq4xSC NDp7tZHuIXwbC25LAaLpKary8et09igIZmrkbFbFHFc61S9cuWptNpvx0rGpw9B7 9Xyf5q4TRkBJuEvj/V/5eMxk7iWHsKmdhET8+UKFsvwLg5cjIExNwdZ64VOggvdm /Jc1XiR1iE2aus/tv+mD2F/qUYapqTkF0o+RSmXlvZOe7Zq7JepzgpJ2ik7GNIfa rRUp2rrfGhUTRf8RJh+JnGucJc35qluZ7zQUsEyA4eBbx28ndENjbSiPZsxLAoPX R9MNbMJe6QwGEj5SJkgyG9q2ynJsaoY79VAJOkb4MNo/Xg+4+x/bXG1F3ZtW/dC/ kghZbNV+STtmWpyVGQIUIbfCo5zPZGpoxDvxD0ZFvYbylbnKjQlr/2m/PWSixpmQ 5Uok4TYVMmakkTtXGeXBMFPWqqeaHo4hJlS4VmyLadpezQh/K/o9fs38pIXAGWav ASI0Q33mRRYgRX7g4y8f2jfE+l5bCG0UW1KAnH3kVixDGc/gNUznh3LwlMjQcUXZ 2fyQ1IAV6Aw= =u8pU -----END PGP SIGNATURE-----