Knowledge Search


×
 

2017-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 16.1R1 release.

  [JSA10770] Show Article Properties


Product Affected:
These issues can affect any product or platform running Junos Space prior to 16.1R1
Problem:
Multiple vulnerabilities have been resolved in Junos Space 16.1R1 release.

Third party software packages that have been upgraded to resolve vulnerabilities in prior releases include:
  • OpenSSH has been upgraded to 7.3p1.
  • MySQL server has been upgraded to 5.6.34.
  • Apache HTTP server has been upgraded to httpd-2.2.31.
  • OpenJDK has been upgraded to 1.7.0.121.
  • LibXML has been upgraded to libxml2-2.7.6-21.
  • OpenSSL has been upgraded to 1.0.1t.
  • Linux Kernel has been upgraded to kernel-2.6.32-642.

Important security issues resolved as a result of these upgrades include,

 

CVE CVSS base score Summary
CVE-2016-1762 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) The xmlNextChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-4448 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Format string vulnerability in libxml2 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
CVE-2015-5364 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel do not properly consider yielding a processor, which allows remote attackers to cause a denial of service (system hang) via incorrect checksums within a UDP packet flood.
CVE-2016-6515 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.
CVE-2015-8325 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) The do_setup_env function in session.c in sshd in OpenSSH through 7.2p2, when the UseLogin feature is enabled and PAM is configured to read .pam_environment files in user home directories, allows local users to gain privileges by triggering a crafted environment for the /bin/login program, as demonstrated by an LD_PRELOAD environment variable.
CVE-2016-1833 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The htmlCurrentChar function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1834 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the xmlStrncat function in libxml2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVE-2016-1835 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Use-after-free vulnerability in the xmlSAX2AttributeNs function in libxml2 allows remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1836 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Use-after-free vulnerability in the xmlDictComputeFastKey function in libxml2 allows remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1837 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Multiple use-after-free vulnerabilities in the (1) htmlPArsePubidLiteral and (2) htmlParseSystemiteral functions in libxml2 allow remote attackers to cause a denial of service via a crafted XML document.
CVE-2016-1838 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The xmlPArserPrintFileContextInternal function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1839 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) The xmlDictAddString function in libxml2 allows remote attackers to cause a denial of service (heap-based buffer over-read) via a crafted XML document.
CVE-2016-1840 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the xmlFAParsePosCharGroup function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted XML document.
CVE-2016-5573 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Vulnerability in Java related to Hotspot.
CVE-2016-4449 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P) XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
CVE-2016-5387 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
CVE-2015-5366 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The (1) udp_recvmsg and (2) udpv6_recvmsg functions in the Linux kernel before 4.0.6 provide inappropriate -EAGAIN return values, which allows remote attackers to cause a denial of service (EPOLLET epoll application read outage) via an incorrect checksum in a UDP packet, a different vulnerability than CVE-2015-5364.
CVE-2016-1907 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.
CVE-2016-3627 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
CVE-2016-3705 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
CVE-2016-4447 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The xmlParseElementDecl function in parser.c in libxml2 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
CVE-2015-5307 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C) The KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVE-2015-8104 4.7 (AV:L/AC:M/Au:N/C:N/I:N/A:C) The KVM subsystem in the Linux kernel allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
CVE-2016-6662 0.0 (AV:N/AC:L/Au:N/C:N/I:N/A:N) Vulnerability in MySQL allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: Since this issue does not allow a Junos Space local user to increase privileges, the effective CVSS base score is zero.
CVE-2016-5195 0.0 (AV:L/AC:L/Au:N/C:N/I:N/A:N) Race condition in mm/gup.c in the Linux kernel allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW." NOTE: Since this issue does not allow a Junos Space local user to increase privileges, the effective CVSS base score is zero.
CVE-2013-2566 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
CVE-2015-4000 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
CVE-2016-2183 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.
CVE-2005-1730 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonstrated by "OpenSSL ASN.1 brute forcer." NOTE: this issue might overlap CVE-2004-0079, CVE-2004-0081, or CVE-2004-0112.
CVE-2009-5111 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) GoAhead WebServer allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
CVE-2007-6750 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris, related to the lack of the mod_reqtimeout module in versions before 2.2.15.
CVE-2012-5568 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.


Please refer to JSA10759 for a list of OpenSSL vulnerabilities resolved as a result of upgrading it to 1.0.1t.


Apart of the above issues, Junos Space 16.1R1 also resolves the following issues found during internal product testing:

 

CVE CVSS base score Summary
CVE-2017-2305 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can create privileged users, allowing privilege escalation.
CVE-2017-2306 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Due to an insufficient authorization check, readonly users on the Junos Space administrative web interface can execute code on the device.
CVE-2017-2307 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) A reflected cross site scripting vulnerability in Junos Space administrative interface may allow remote attackers to steal sensitive information or perform certain administrative actions on Junos Space.
CVE-2017-2308 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) An XML External Entity Injection vulnerability in Junos Space may allow an authenticated user to read arbitrary files on the device.
CVE-2017-2309 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) When certificate based authentication is enabled for the Junos Space cluster, some restricted web services are accessible over the network. This represents an information leak risk.
CVE-2017-2310 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) A firewall bypass vulnerability in the host based firewall on a Junos Space device may permit certain crafted packets, representing a network integrity risk.
CVE-2017-2311 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) An unauthenticated remote attacker with network access to Junos space device can easily create a denial of service condition.

In addition to the above, Junos Space release 16.1R1 contains many security improvements and security feature enhancements.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

Solution:
These issues have been resolved in Junos Space 16.1R1 and all subsequent releases.

These issues are being tracked as PRs 1097316, 1082037, 1107640, 1136574, 1201531, 1206933, 1214374, 1214763, 1215142, 1226553, 1231941,1232770, 1235133, 882239, 975417, 975435, 975452, 975458, 975482, 975495, 983913, 983914, 983940, and 983966, and are visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Workaround:
  • Limit access to Junos Space from only trusted networks.
  • Use administrative jump boxes with no internet access and employ anti-scripting techniques.
  • In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the devices administrative interfaces only from trusted, administrative networks or hosts.
Implementation:
How to obtain fixed software:
Junos Space Maintenance Releases are available at http://support.juniper.net from the "Download Software" links. If a Maintenance Release is not adequate and access to Junos Space patches is needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate Patch Release for your specific situation.
Modification History:
2017-01-11: Initial publication
2018-01-02: Added PR 1231941 reflecting CVE IDs: CVE-2013-2566, CVE-2015-4000 and CVE-2016-2183.  PR 1097316 reflecting CVE IDs: CVE-2005-1730, CVE-2009-5111, CVE-2007-6750 and CVE-2012-5568.
 
Related Links:
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."