Knowledge Search


×
 

2017-04 Security Bulletin: Multiple Vulnerabilities in NorthStar Controller Application before version 2.1.0 Service Pack 1.

  [JSA10783] Show Article Properties


Product Affected:
These issues can affect any version of the NorthStar Controller Application prior to version 2.1.0 Service Pack 1.
Problem:
Multiple vulnerabilities have been resolved in the NorthStar Controller Application starting from version 2.1.0 Service Pack 1 and all subsequent releases.

Critical security issues resolved as a result of these upgrades as they apply to Juniper's NorthStar Controller Application are:
 
CVE CVSS v3 base score Summary
CVE-2015-4620 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.
CVE-2015-5477 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries.
CVE-2015-3456 8.0 (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
CVE-2015-3209

7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
CVE-2015-1349 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use.
CVE-2013-4450 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response.
CVE-2015-5307 7.1 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c.
CVE-2015-8104 7.1 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c.
CVE-2015-2808 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Apart from the above issues, the NorthStar Controller Application in 2.1.0 Service Pack 1 and all subsequent releases also resolves the following issues found during internal product testing:
 
CVE CVSS v3 base score Summary
CVE-2017-2316 6.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) An authenticated malicious user may cause a buffer overflow leading to a denial of service.
CVE-2017-2317 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) An unauthenticated, unprivileged, network-based attacker may cause denials of services to underlying database tables leading to potential information disclosure, modification of system states, and partial to full denial of services relying upon data modified by an attacker.
CVE-2017-2318 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) An authenticated malicious user may read log files which will compromise the integrity of the system, or provide elevation of privileges.
CVE-2017-2319 8.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) A malicious attacker may compromise the systems confidentiality or integrity without authentication, leading to managed systems being compromised or services being denied to authentic end users and systems as a result.
CVE-2017-2320 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) An unauthenticated, unprivileged, network-based attacker may cause various denials of services leading to targeted information disclosure, modification of any component of the NorthStar system, including managed systems, and full denial of services to any systems under management which NorthStar interacts with using read-only or read-write credentials.
CVE-2017-2321 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H) An unauthenticated, unprivileged, network-based attacker may cause various system services partial to full denials of services, modification of system states and files, and potential disclosure of sensitive information which may assist the attacker in further attacks on the system through the use of multiple attack vectors, including man-in-the-middle attacks, file injections, and malicious execution of commands causing out of bound memory conditions leading to other attacks.
CVE-2017-2322 5.2 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L) An authenticated user can cause widespread denials of service to system services by consuming TCP and UDP ports which are normally reserved for other system services.
CVE-2017-2323 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) A malicious attacker crafting packets destined to the device may cause a persistent denial of service to the Path Computation Server service.
CVE-2017-2324 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) A network-based malicious attacker can cause a denial of service via remote command injection.
CVE-2017-2325 8.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L) An authenticated malicious user may cause a buffer overflow leading to a denial of service.
CVE-2017-2326 8.4 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) An unprivileged, authenticated, network-based attacker can replicate the underlying Junos OS VM and all data it maintains to their local system for future analysis.
CVE-2017-2327 5.9 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H) An authenticated malicious user may be able to consume large amounts of system resources leading to a cascading denial of services.
CVE-2017-2328 5.5 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) An unprivileged, authenticated, user can elevate their permissions through reading unprivileged information stored in the NorthStar controller.
CVE-2017-2329 6.2 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) An unprivileged, authenticated, user can execute certain specific unprivileged system files capable of causing widespread denials of system services.
CVE-2017-2330 6.2 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) An unauthenticated, local user, may create a fork bomb scenario, also known as a rabbit virus, or wabbit, which will create processes that replicate themselves, until all resources are consumed on the system, leading to a denial of service to the entire system until it is restarted.  Continued attacks by an unauthenticated, local user, can lead to persistent denials of services.
CVE-2017-2331 7.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) A network-based malicious attacker can bypass firewall policies, leading to authentication bypass methods, information disclosure, modification of system files, and denials of service.
CVE-2017-2332 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) An insufficient authentication vulnerability may allow a malicious, network based, unauthenticated attacker to perform privileged actions to gain complete control over the environment.
CVE-2017-2333 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) A malicious, network-based, authenticated attacker may be able to consume enough system resources to cause a persistent denial of service by visiting certain specific URLs on the server.
CVE-2017-2334 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) A network-based malicious attacker can perform a man-in-the-middle attack, thereby stealing authentic credentials from encrypted paths which are easily decrypted, and subsequently gain complete control of the system.

In addition to the above, the NorthStar Controller Application in 2.1.0 Service Pack 1 and all subsequent releases contain many security improvements and security feature enhancements.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.
 
Solution:
These issues have been resolved in the NorthStar Controller Application starting in 2.1.0 Service Pack 1 and all subsequent releases.

These issues are being tracked as PRs 1103674, 1103676, 1103678, 1106089, 1106094, 1106801, 1106892, 1107562, 1107564, 1107608, 1108490, 1108919, 1108951, 1109646, 1110003, 1110039, 1112391, 1111575, 1112725, 1112779, 1113092, 1113876, 1114956, 1115789, 1116107, 1116132, 1116168, 1116176, 1116515, 1118661, 1136576, 1178592, 1183288, 1183581, 1183595, 1183610, 1183612, and 1183615, and are visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
 
Workaround:
  • Limit access to the NorthStar Controller Application from only trusted networks.
  • Use administrative jump boxes with no internet access and employ anti-scripting techniques.
  • In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the devices administrative interfaces only from trusted, administrative networks or hosts.
Implementation:
How to obtain fixed software:
NorthStar Controller Application Releases are available at http://support.juniper.net from the "Download Software" links. If a Application Release is not adequate and access to NorthStar Application Service Packs or upstream releases are needed, open a customer support case. A JTAC engineer will review your request and respond, ensuring that you will be provided with the most appropriate version / Service Pack for your specific situation. Upstream releases include all downstream release fixes, and any application downstream application Service Packs.

 
Modification History:
2017-04-12: Initial publication

Related Links:
CVSS Score:
10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."