Knowledge Search


×
 

2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343)

  [JSA10791] Show Article Properties


Product Affected:
This issue affects Junos OS 12.3X48, 15.1X49. Affected platforms: SRX series.
Problem:

The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices.

As part of an internal security review of the UserFW services authentication API, hardcoded credentials were identified and removed which can impact both the SRX Series device, and potentially LDAP and Active Directory integrated points.

These credentials may be passed in clear text, or passed in an encrypted format. It may also be possible for a skilled attacker to illicitly decompile the system software to gain access to these credentials and form additional attacks.

Credentials may be taken from the network via man-in-the-middle attacks, or other attack vectors, as above, or others not listed.

An attacker may be able to completely compromise both the SRX Series device without authentication, other SRX Series devices deployed in the same environment running vulnerable versions of Junos OS, as well as Active Directory servers and service, including but not limited to, user accounts, workstations, servers performing other functions such as email, database, etc. which are also tied to the Active Directory deployment. Inter-Forest Active Directory deployments may also be at risk as the attacker may gain full administrative control over one or more Active Directories depending on the credentials supplied by the administrator of the AD domains and SRX devices performing integrated authentication of users, groups and devices.

To identify if your device is potentially vulnerable to exploitation, check to see if the service is operating; from CLI review the following output:

root@SRX-Firewall# run show services user-identification active-directory-access domain-controller status extensive

A result of "Status: Connected" will indicate that the service is active on the device.

To evaluate if user authentication is occurring through the device:

root@SRX-Firewall# run show services user-identification active-directory-access active-directory-authentication-table all

Next review the results to see if valid users and groups are returned. e.g.

Domain: juniperlab.com
Total entries: 3
Source IP Username groups state
172.16.26.1 administrator Valid
192.168.26.2 engg01 engineers Valid
192.168.26.3 guest01 guests Valid

Domain: NULL
Total entries: 8
Source IP Username groups state
192.168.26.4 Invalid
192.168.26.5 Invalid

This will also indicate that Valid users and groups are authenticating through the device.

Affected releases are Juniper Networks Junos OS 12.3X48 from 12.3X48-D30 and prior to 12.3X48-D35 on SRX series; 15.1X49 from 15.1X49-D40 and prior to 15.1X49-D50 on SRX series.

Devices on any version of Junos OS 12.1X46, or 12.1X47 are unaffected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-2343.

Solution:

The following software releases have been updated to resolve this specific issue: 12.3X48-D35, 15.1X49-D50, and all subsequent releases.

This issue is being tracked as PR 1171966 and is visible on the Customer Support website.

Workaround:

There is no workaround to completely mitigate the risk of this issue.

Customers may reduce the risk of exploitation of this issue by disabling the UserFW service on devices running the service until such time that a fix can be taken.

Implementation:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
Modification History:
  • 2017-07-12: Initial Publication.

 

Related Links:
CVSS Score:
10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."