Knowledge Search


×
 

2017-10 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 17.1R1 release

  [JSA10826] Show Article Properties


Product Affected:
This issue affects Juniper Networks Junos Space versions prior to 17.1R1.
Problem:

Multiple vulnerabilities have been resolved in Junos Space 17.1R1 release.

Important security issues resolved as a result of these upgrades include,

 
CVE CVSS base score Summary
CVE-2017-7494 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Samba since version 3.5.0 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.
CVE-2017-1000365 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23.
CVE-2017-1000366 7.4 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
CVE-2017-1000371 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
CVE-2017-1000379 2.9 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected.
CVE-2016-2516 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.
CVE-2017-1000367 6.9 (AV:L/AC:M/Au:N/C:C/I:C/A:C) Todd Miller's sudo version 1.8.20 and earlier is vulnerable to an input validation (embedded spaces) in the get_process_ttyname() function resulting in information disclosure and command execution.
CVE-2016-1548 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the NTP client will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.
CVE-2017-1000364 6.2 (AV:L/AC:H/Au:N/C:C/I:C/A:C) An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010).
CVE-2016-1547 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) An off-path attacker can cause a preemptible client association to be demobilized in NTP by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.
CVE-2016-1550 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) An exploitable vulnerability exists in the message authentication functionality of libntp in NTP. An attacker can send a series of crafted messages to attempt to recover the message digest key.
CVE-2016-2518 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The MATCH_ASSOC function in NTP allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.
CVE-2016-2517 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) NTP allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.
CVE-2016-2519 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) ntpd allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value.
CVE-2016-1549 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd and modify a victim's clock.
CVE-2016-1551 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker.
CVE-2017-1000369 2.1 (AV:L/AC:L/Au:N/C:N/I:P/A:N) Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time.

Apart of the above issues, Junos Space 17.1R1 also resolves the following issues found during internal product testing:

CVE CVSS v2 base score Summary
CVE-2017-10612 8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) A persistent site scripting vulnerability in Juniper Networks Junos Space allows users who can change certain configuration to implant malicious Javascript or HTML which may be used to steal information or perform actions as other Junos Space users or administrators. (PR 1231289)
CVE-2017-10623 7.1 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) Lack of authentication and authorization of cluster messages in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to intercept, inject or disrupt Junos Space cluster operations between two nodes. (PR 983910)
CVE-2017-10624 7.5 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications of Space database or add nodes. (PR 1176959)

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

Solution:

The following software releases have been updated to resolve these issues: 17.1R1 and all subsequent releases.

These issues are being tracked as PRs 1290443, 1231289, 983910, 1176959, 1214448 and are visible on the Customer Support website.

Workaround:

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts.

Implementation:
Junos Space Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/space.
Modification History:
2017-10-11: Initial Publication.
2017-10-17: Fix summary descriptions of CVE-2017-10623, CVE-2017-10624.
Related Links:
CVSS Score:
8.0 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."