Knowledge Search


×
 

2014-09 Out of Cycle Security Bulletin: Multiple Products: Shell Command Injection Vulnerability in Bash

  [JSA10648] Show KB Properties

  [JSA10648] Hide KB Properties

Categories:
Security Advisories ID: JSA10648
Last Updated: 21 May 2015
Version: 40.0

Product Affected:
Junos Space and JA1500, JA2500 (Junos Space Appliance), STRM and JSA series, NSM Appliances (NSM3000 and NSMExpress), IDP Series, Junos Content Encore (Media Flow Controller) prior to 12.3.8.

Problem:

Bash or the Bourne again shell has vulnerabilities in the way it handles environment variables when it is invoked. Under some scenarios, network based remote attackers can inject shell script that can be executed on a system. This is also known as "ShellShock".

These issues have been assigned CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.

Products vulnerable to remote exploitation risks:

  • Junos Space versions prior to 14.2 are vulnerable.
  • JSA Series (STRM) devices are vulnerable in all versions.
  • NSM Appliances (NSM3000 and NSMExpress) versions prior to 2012.2R9 are vulnerable. Note: NSM server software installed on generic Linux or Solaris servers may require bash fixes from server OS vendor.
  • IDP Series versions prior to 5.1r4 are vulnerable.
  • Junos Content Encore (Media Flow Controller) releases prior to 12.3.8 are vulnerable, if the management console web interface is enabled.

Products with bash and vulnerable to lesser security risks:

  • SSL VPN, UAC, MAG, SA series (in all versions): If the DMI Agent is enabled (either inbound or outbound), then authenticated administrative users can run arbitrary commands as root. The DMI Agent functionality is accessible only via the internal port or management port. Non-administrative users and unauthenticated remote attackers cannot access the DMI interface and cannot exploit the issue. Administrative users should not be able to run shell commands on the device, since this defect allows shell commands to be run it represents a risk to integrity of the system. The CVSS v2 base score for this scenario is 4.4 (AV:L/AC:M/Au:S/C:N/I:C/A:N).

Products with bash, but NOT affected by remote exploitation risks:

Our current assessment shows there is no risk of remote unauthenticated code execution on these products even though the products include bash. Scenarios required for known remote exploitation vectors do not exist on these products. As a precaution, bash in these products will be upgraded.
  • SSL VPN, UAC, MAG, SA series
  • CTPView
  • QFabric
  • DDOS Secure
  • JWAS
  • Firefly (vGW)
  • SRC
  • Junos Pulse Endpoint Profiler

Products NOT affected:

  • Junos OS is not vulnerable.
  • ScreenOS is not vulnerable.
  • JunosE is not vulnerable.
  • ADC is not vulnerable.
  • SRX-IDP is not vulnerable.
  • ISG-IDP is not vulnerable.
  • WX is not vulnerable.
  • SBR Enterprise Edition is not vulnerable.
  • SBR Global Enterprise Edition is not vulnerable.
  • WLC Series is not vulnerable.
  • WLM appliances (RingMaster, SmartPass) are not vulnerable.

Juniper is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.


Modification History:
Sep 25, 2014: Initial release.
Sep 26, 2014: Provided solution for JSA/STRM Series, updated the status of NSM to be vulnerable, provided workaround for NSM, included statement on SRC series.
Sep 29, 2014: Updated the status of SSL VPN products as vulnerable to lesser security risks, updated the list of known CVEs related to shellshock issue.
Sep 30, 2014: Provided solution for NSM Appliances and Junos Space.
Oct 1, 2014: Provided final solution for JSA/STRM Series and solution for IDP Series.
Oct 2, 2014: Added statement about WLC series which is not affected, updated the status of Junos Content Encore (MFC) as vulnerable to remote exploitation risks.
Oct 3, 2014: Provided final solution for Junos Content Encore (MFC).
Oct 6, 2014: Provided a solution for NSM CentOS 4 based installations.
Oct 11, 2014: Updated solution for Junos Space, included statement on WLM Series appliances, updated the list of IDP signatures for ShellShock.
Oct 22nd, 2014: Added SSL VPN fixed release information.
May 21, 2015: Updated Solution for SRC, Junos Space and NSM.

Solution:

Connect Secure (SA / SSL VPN) / MAG Series:

Fixes have been added to the following releases: 7.1r20.1,7.4r13.1 and 8.0r7 which are available for download from www.juniper.net/support/downloads/.

JSA, STRM Series devices:

Patch for CVE-2014-7169 and rest of the CVEs is available for download from www.juniper.net/support/downloads/. This patch resolve all the issues related to shellshock for all supported versions of JSA and STRM software releases.

NSM Appliances:

All the six CVEs are now fixed by "NSM Appliance Generic Offline Upgrade Package_v3 - CentOS 5.x" or "NSM Appliance Generic Online Upgrade Script_v3_CentOS5.x" (released Sep 30, 2014) or later. These are available for download from https://www.juniper.net/support/downloads/?p=nsm#sw.

These issues are fixed in NSM 2012.2R9 and subsequent releases.

For NSM Appliances with CentOS 4 based installations NSM Bash RPM update for CentOS 4 is available for download as an interim fix. Please see Implementation section for instructions.

Junos Space:

These issues are resolved in Junos Space 14.1R2 and all subsequent releases.
For older releases Junos Space Bash Security Update v2 is available as an interim fix. This can be downloaded from Junos Space software download page.

IDP Series:

These issues are resolved in IDP OS 5.1r4 and all subsequent releases.
Bash RPM update
to resolve all these issues is available for download at the bottom of this page as an interim fix. Please see Implementation section for instructions.

Junos Content Encode (MFC):

All these issues are resolved in Junos Content Encore 12.3.8 or later versions, available for download from www.juniper.net/support/downloads/.

SRC Series:

All these issues are resolved in SRC 4.4.0-R14, 4.5.0-R5, 4.6.0-R5, 4.7.0-R2, 4.8.0-R1 and subsequent releases.

IDP Signatures:

Juniper has released signatures to detect this issue. Sigpack 2424 contains IDP signatures designed to detect CVE-2014-6271 and other CVEs associated with Shell Shock:
HTTP:CGI:BASH-CODE-INJECTION
HTTP:CGI:SHELLSHOCK
DHCP:SERVER:GNU-BASH-CMD-EXE
HTTP:CGI:BASH-INJECTION-HEADER
HTTP:CGI:BASH-INJECTION-URL


We are currently investigating our product portfolio for affected software and will work to provide fixes for any software that is found to be vulnerable. This document will be updated with version information as product updates become available.

Workaround:
Workarounds for these issues include:
  • Use access lists or firewall filters to limit access to services such as HTTP, HTTPS, and SSH to only trusted hosts.
  • Do not use the device as a DHCP client on untrusted networks.
  • Limit shell access on any device to only trusted users.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment irrespective of a product's exposure to this issue. Always Use access lists or firewall filters to limit access to the devices only from trusted, administrative networks or hosts.

Workaround for NSM Appliances:

Until NSM Appliance fixes are available, updated bash RPM bash-3.2-33.el5.1.i386.rpm or later version can be downloaded from http://mirror.centos.org/centos-5/5/updates/i386/RPMS/ and applied on the NSM Appliance. Updated bash RPM bash-3.0-22nsmShellShockFix.i386.rpm is available for Centos 4 based NSM installations.

Workaround for SSL VPN, UAC, MAG, SA series:

Disabling the DMI agent (both inbound and outbound) should completely mitigate associated security risks.

Workaround for Junos Content Encore (MFC):

Disabling the management console web interface with CLI command web no enable should mitigate associated security risks.

Implementation:
JSA /STRM Series devices:
Patch is available for download from www.juniper.net/support/downloads/ under JSA or STRM series, Software, Patches section. Instructions to install the patch are included in the patch release notes.

NSM Appliances:

NSM software upgrade packages are available for download from https://www.juniper.net/support/downloads/?p=nsm#sw.

For NSM Appliances based on CentOS 4 installations:
  • Download bash-3.0-22nsmShellShockFix.i386.rpm (also available for download at the bottom of this page).
  • Verify check sum of rpm file: MD5 = 32827bbae59d8c632dd5f698d08c664e, SHA1 = 8fdb20a5d95b14b64c646f7115b5d077fb63f8e0.
  • Install the RPM (# rpm -Uvh bash-3.0-22nsmShellShockFix.i386.rpm).

Junos Space:

Junos Space Bash Security Update v2 is available for download from https://www.juniper.net/support/downloads/?p=space#sw.

IDP Series:

  1. Download bash-3.2-21.idp.x86_64.rpm (also available for download at the bottom of this page).
  2. Verify check sum of the RPM file: MD5 = 34b4c7b71b780981d0da6b04a0c3e2d5, SHA1 = 124a328d9018a794a431d168ec85ccced9b4cc76.
  3. Install the RPM file using rpm command: # rpm -i --force bash-3.2-21.idp.x86_64.rpm.

Junos Content Encore (MFC):

Updated software is available for download from www.juniper.net/support/downloads/ under Content & Media Delivery.

Related Links:

CVSS Score:
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Risk Level:
Critical

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Acknowledgements:
Juniper SIRT would like to acknowledge and thank Stephane Chazelas for discovering CVE-2014-6271, Michal Zalewski for discovering CVE-2014-6277 and CVE-2014-6278, and Florian Weimer for responsibly coordinating disclosure of vulnerabilities.



Attachment File:
bash-3.2-21.idp.x86_64.rpm
1.9MB • 6 minute(s) @ 56k, < 1 minute @ broadband

Attachment File:
bash-3.0-22nsmShellShockFix.i386.rpm
1.8MB • 5 minute(s) @ 56k, < 1 minute @ broadband

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.