2016-10 Security Bulletin: Junos Space: Multiple vulnerabilities

  [JSA10760] Show Article Properties


Product Affected:
These issues can affect any product or platform running Junos Space before 15.2R2
Problem:

Multiple vulnerabilities have been resolved in Junos Space 15.2R2 release.

CVE CVSS base score Summary
CVE-2016-4926 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Insufficient authentication vulnerability in Junos Space may allow remote network based users with access to Junos Space web interface to perform certain administrative tasks without authentication.
CVE-2016-4927 9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) Insufficient validation of SSH keys in Junos Space may allow man-in-the-middle (MITM) type of attacks while a Space device is communicating with managed devices.
CVE-2016-4928 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Cross site request forgery vulnerability in Junos Space may allow remote attackers to perform certain administrative actions on Junos Space.
CVE-2016-4929 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Command injection vulnerability in Junos Space may allow unprivileged users to execute code as root user on the device.
CVE-2016-4930 5.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Cross site scripting vulnerability may allow remote attackers to steal sensitive information or perform certain administrative actions on Junos Space.
CVE-2016-4931 5.3 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) XML entity injection vulnerability may allow unprivileged users to cause a denial of service condition.

In addition to the above a vulnerability in Apache Commons Collections that can potentially allow remote code execution during object de-serialization is fixed by upgrading Apache Commons Collections to 3.2.2. This vulnerability is not exposed and is not exploitable on Junos Space, however the underlaying library is upgraded to eliminate all risks.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

Many of these issues were found during internal product testing.

Solution:
These issues have been resolved in Junos Space 15.2R2 and all subsequent releases.

These issues are being tracked as 954495, 975358, 975426, 975445, 975447, 975457, 975466, 975472, 975473, 975474, 975491, 975502, 975506, 975509, 975510, 975516, 975518, 975530, 975534, 983931, 983945, 983960, 983964, 1049736, 1049737, 1105605, 1138099, 1164153, 1165549 and are visible on the Customer Support website.
Workaround:

  • Limit access to Junos Space from only trusted networks.
  • Use administrative jump boxes with no internet access and employ anti-scripting techniques.
  • In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the devices administrative interfaces only from trusted, administrative networks or hosts.

Implementation:
How to obtain fixed software:
Junos Space Maintenance Releases are available at http://support.juniper.net from the "Download Software" links. If a Maintenance Release is not adequate and access to Junos Space patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.

Modification History:
Modification History:

2016-10-12: Initial publication

Related Links:
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical