Knowledge Search


×
 

2017-10 Security Bulletin: Multiple Products: "Dirty COW" Linux Kernel Local Privilege Escalation (CVE-2016-5195)

  [JSA10807] Show Article Properties


Product Affected:
This issue affects Junos OS 14.1R, 14.1X53, 14.2R, 15.1R, 15.1F, 15.1F, 15.1X49, 15.1X53, 16.1R. Affected platforms: vRR, vMX, SRX, EX, QFX, PTX, T. This issue affects Network and Security Manager 2012.2. This issue affects CTPView 7.1R, 7.2R1, 7.3R. This issue affected Sky Advanced Threat Prevention.
Problem:

A race condition in Linux allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping. This issue is also known as "Dirty COW."

Note for Junos OS in a virtualized environment:

Junos OS as Host OS with virtualized Junos Guest OS's; and Junos OS non-virtualized; or Junos OS as the Host OS is not vulnerable to this issue.

Customers using Junos OS as a Guest OS in a virtualized Linux-based environment such as VMWare, Wind River Linux, CentOS, Red Hat Enterprise Linux, etc. as the Host OS are advised that exploitation is not possible by default as there is no valid attack vector to exploit the vulnerability that Juniper ships with its products. The underlying Linux kernel in the Host OS may have the vulnerability present in the software packages Juniper provides. Vulnerability scanners may alert that the vulnerability is present if these virtualization packages are used. Should customers make changes to these Host OS Linux packages, customers may inadvertently expose this vulnerability to potential exploitation by an attacker. If customers require a fully-fixed version of Junos OS as Guest OS running on top of a Linux-Based Host OS, then customers should move to a fixed version as listed in the Junos OS Solutions section of the advisory. If Juniper does not provide the underlying package, customers should consult their manufacturer for guidance.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability on Juniper devices. However, public exploits are available for this vulnerability.

This issue has been assigned CVE-2016-5195.

 

Solution:

The following software releases have been updated to resolve this specific issue:

Junos OS:

14.1X53-D46, 15.1X49-D80, 15.1X53-D49, 15.1X53-D61, 15.1X53-D470, 16.1R3-S6, and all subsequent releases. Any products using VMWare ESXi images should refer to VMWare's VMSA VMSA-2016-0018 advisory for guidance.

NSM:

2012.2R12 CentOS 6.5 Upgrade Package v3, and all subsequent releases.

CTP View:

7.1R4, and 7.3R2 and subsequent releases.

Sky ATP:

CVE-2016-5195 was fixed on Nov 17th 2016 for the Sky ATP cloud hosted service.

This issue is being tracked as PR 1227266 for Junos OS, 1226969 for CTPView, 1227267 for Sky ATP and 1227270 for NSM and are visible on the Customer Support website.

Workaround:

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts.

Implementation:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.

NSM Maintenance Releases are available at http://support.juniper.net from the "Download Software" links.  If a Maintenance Release is not adequate and access to NSM patches is  needed, open a customer support case.  A JTAC engineer will review your  request and respond, ensuring that you will be provided with the most  appropriate Patch Release for your specific situation.
 
Modification History:
‚Äč2017-10-11: Initial Publication.
Related Links:
CVSS Score:
7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.