Knowledge Search


×
 

2017-10 Security Bulletin: SRX Series: Cryptographic weakness in SRX300 Series TPM Firmware (CVE-2017-10606)

  [JSA10809] Show Article Properties


Product Affected:
This issue affects Juniper Networks Junos OS 15.1X49 prior to TPM firmware version 4.43 on SRX300 Series.
Problem:
Version 4.40 of the TPM (Trusted Platform Module) firmware has a weakness in generating cryptographic keys that may allow an attacker to decrypt sensitive information in SRX300 Series products. The TPM is used in the SRX300 Series to encrypt sensitive configuration data. While other products also ship with a TPM, no other products or platforms are affected by this vulnerability.

Customers can confirm the version of TPM firmware via the 'show security tpm status' command:

user@junos> show security tpm status
TPM Status:
  Enabled: yes
  Owned: yes
  Master Binding Key: created
  Master Encryption Key: configured
        TPM Family: 1.2
        TPM Firmware revision: 4.40


This issue was discovered by an external security researcher.

No other Juniper Networks products or platforms are affected by this issue.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10606.
 
Solution:
TPM firmware version 4.43 resolves this specific issue. Updating TPM firmware requires one of the following software releases: Junos OS 15.1X49-D111, 17.4R1, or any subsequent release.

Note: Junos OS 17.3 is unaffected by this issue since TPM functionality is not supported in this release.

The TPM firmware is updated via a special "jtpm" package available for download along with the updated Junos OS package. Refer to KB32288 for download information and directions on how to upgrade the TPM firmware on SRX300 Series devices.

This issue is being tracked as PR 1293114 and is visible on the Customer Support website.
Workaround:
Until the TPM firmware can be updated, use access lists or firewall filters to limit access to the router via CLI only from trusted hosts, and limit access to the Junos shell only to trusted administrators.
 
Implementation:
Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.
 
Modification History:
2017-10-11: Initial Publication.
2017-10-11: Release of 15.1X49-D111 delayed until 2017-10-18.  Workaround updated.
2017-11-01: Referred to KB32288 for TPM upgrade instructions.
Related Links:
CVSS Score:
4.4 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Risk Level:
Medium
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."