Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.0133.2
Juniper ATP: Multiple vulnerabilities resolved in 5.0.3 and 5.0.4
16 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Juniper ATP
Publisher: Juniper Networks
Operating System: Juniper
Impact/Access: Root Compromise -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Cross-site Scripting -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-0030 CVE-2019-0029 CVE-2019-0027
CVE-2019-0026 CVE-2019-0025 CVE-2019-0024
CVE-2019-0023 CVE-2019-0022 CVE-2019-0021
CVE-2019-0020 CVE-2019-0018 CVE-2019-0004
CVE-2017-11610
Original Bulletin:
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10918
Revision History: January 16 2019: Incorrect ESB Number
January 15 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
2019-01 Security Bulletin: Juniper ATP: Multiple vulnerabilities resolved in 5.0.3 and 5.0.4
Product Affected: Juniper ATP
Problem: Multiple vulnerabilities have been resolved in the Juniper ATP
5.0.3 and 5.0.4 releases by fixing the vulnerabilities found during
internal testing and updating the third party software packages
included with Juniper ATP.
Important security issues resolved include:
CVE : CVE-2019-0018
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
the file upload menu of Juniper ATP may allow an
authenticated user to inject arbitrary scripts and steal
sensitive data and credentials from a web administration
session, possibly tricking a follow-on administrative user
to perform administrative actions on the device.
CVE : CVE-2017-11610
CVSS : 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Summary : The XML-RPC server in supervisor before 3.0.1, 3.1.x before
3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows
remote authenticated users to execute arbitrary commands
via a crafted XML-RPC request, related to nested
supervisord namespace lookups.
CVE : CVE-2019-0023
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
the Golden VM menu of Juniper ATP may allow authenticated
user to inject arbitrary script and steal sensitive data
and credentials from a web administration session, possibly
tricking a follow-on administrative user to perform
administrative actions on the device.
CVE : CVE-2019-0030
CVSS : 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Summary : Juniper ATP uses DES and a hardcoded salt for password
hashing, allowing for trivial de-hashing of the password
file contents.
CVE : CVE-2019-0021
CVSS : 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
Summary : On Juniper ATP, secret passphrase CLI inputs, such as "set
mcm", are logged to /var/log/syslog in clear text, allowing
authenticated local user to be able to view these secret
information.
CVE : CVE-2019-0020
CVSS : 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Summary : Juniper ATP: Hard coded credentials used in Web Collector
CVE : CVE-2019-0022
CVSS : 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Summary : Juniper ATP: Two hardcoded credentials sharing the same
password give an attacker the ability to take control of
any installation of the software.
CVE : CVE-2019-0025
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
RADIUS configuration menu of Juniper ATP may allow
authenticated user to inject arbitrary script and steal
sensitive data and credentials from a web administration
session, possibly tricking a follow-on administrative user
to perform administrative actions on the device.
CVE : CVE-2019-0026
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
the Zone configuration of Juniper ATP may allow
authenticated user to inject arbitrary script and steal
sensitive data and credentials from a web administration
session, possibly tricking a follow-on administrative user
to perform administrative actions on the device.
CVE : CVE-2019-0029
CVSS : 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Summary : On Juniper ATP, the Splunk credentials are logged in a file
readable by authenticated local users. Using these
credentials an attacker can access the Splunk server.
CVE : CVE-2019-0004
CVSS : 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Summary : The API key and the device key are logged in a file
readable by authenticated local users. These keys are used
for performing critical operations on the WebUI interface.
CVE : CVE-2019-0024
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
the Email Collectors menu of Juniper ATP may allow
authenticated user to inject arbitrary script and steal
sensitive data and credentials from a web administration
session, possibly tricking a follow-on administrative user
to perform administrative actions on the device.
CVE : CVE-2019-0027
CVSS : 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Summary : A persistent cross-site scripting (XSS) vulnerability in
the Snort Rules configuration of Juniper ATP may allow
authenticated user to inject arbitrary script and steal
sensitive data and credentials from a web administration
session, possibly tricking a follow-on administrative user
to perform administrative actions on the device.
Solution:
CVE-2019-0018, CVE-2019-0023, CVE-2019-0020, CVE-2019-0022,
CVE-2019-0025, CVE-2019-0026, CVE-2019-0024, CVE-2019-0027,
CVE-2017-11610
The following software release have been updated to resolve
this specific issue: 5.0.3 and all subsequent releases.
CVE-2019-0030
The following software release have been updated to resolve
this specific issue: 5.0.3 and all subsequent releases.
It is suggested to change any credentials after the upgrade to
the fixed version.
CVE-2019-0021
The following software release have been updated to resolve
this specific issue: 5.0.4 and all subsequent releases.
It is also recommended to purge the affected log files and/or
change the passphrase after the upgrade.
CVE-2019-0029
The following software release have been updated to resolve
this specific issue: 5.0.3 and all subsequent releases.
It is suggested to change the Splunk credentials after the
upgrade to the fixed version.
CVE-2019-0004
The following software release have been updated to resolve
this specific issue: 5.0.3 and all subsequent releases.
It is also recommended to change the device key after the
upgrade.
These issues are being tracked as PR 1365584, 1365614, 1365976,
1365987, 1365676, 1365592, 1365609, 1365617, 1365601, 1365691,
1365606, 1365605, 1365985 and 1366352 which are visible on the
Customer Support website.
Workaround:
There are no known workarounds for this issue, however, limiting
access to only trusted administrators from trusted administrative
networks or hosts would minimize the risk.
CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Risk Level: Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXD5hR2aOgq3Tt24GAQi5eRAAy71PNve9SIKpmvzngTIELhe2HRSSHYDo
3HV/5KfTeUD0m+3LOC+f4Qr/K4o71XMfrqYFiMUhwtxjwsXF2ya3Z/8eS9kqviOI
CIGslGPxlFbDTw2Oi0GTUMsSBv+wXIg9Susb8OOSXuZl2t7lm674f9tlITHsoZTi
RtyWEufoq3Ujgct6oxxouB19dyCa0dH0tVO0/dqq2eh+7cvkmeiqhE1fBBYZTd2d
7eUS1+00AO9iwo02WiLN1oW1hzrO2JVUoY2ySss3RsTf9QVj5nmwWjSZ8T+jcZCA
c43B0qLli6nhgyCFYUUsWzuKTqnup5VohX2Jwsam0HiTdUeRzjM3+0PAaSX/bpqk
xAH4OmoOz3SiYjHjxXYipqNVmYStMPvG5sP3v7vdkd4uGVJBFGAi7tYq2HS+mM0n
QYJxiUyXM/VAKZzagjmRBoOqHnvHWIU3iRVmxLv1ddtUIAG5139WIHA+zNDjFr7K
iBGSSAkf49Tn5Mt53Z5/LBf+D5dLKGLP8AZwZa7g8SFBUCPJL6sgZBi8TSr/Xt9K
UfevZ0Oe3u6DaOphWJrWq7kP2p+waqvxcQs4WT6YHkVTVwHFT4+ffw+DGroH8s3V
lDgv1eI7WJ0RrJWbfBkkb2/vvqbXRhFLJA72i/UbyuWxbitKgzDLsqkcVoCT1bDw
rPWKWW8VDvg=
=+/oY
-----END PGP SIGNATURE-----