Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2019-01 Security Bulletin: Juniper ATP: Multiple vulnerabilities resolved in 5.0.3 and 5.0.4

0

0

Article ID: JSA10918 SECURITY_ADVISORIES Last Updated: 14 Jan 2019Version: 3.0
Product Affected:
Juniper ATP
Problem:

Multiple vulnerabilities have been resolved in the Juniper ATP 5.0.3 and 5.0.4 releases by fixing the vulnerabilities found during internal testing and updating the third party software packages included with Juniper ATP.

Important security issues resolved include:

CVE CVSS Summary
CVE-2019-0018 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in the file upload menu of Juniper ATP may allow an authenticated user to inject arbitrary scripts and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
CVE-2017-11610 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) The XML-RPC server in supervisor before 3.0.1, 3.1.x before 3.1.4, 3.2.x before 3.2.4, and 3.3.x before 3.3.3 allows remote authenticated users to execute arbitrary commands via a crafted XML-RPC request, related to nested supervisord namespace lookups.
CVE-2019-0023 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in the Golden VM menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
CVE-2019-0030 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) Juniper ATP uses DES and a hardcoded salt for password hashing, allowing for trivial de-hashing of the password file contents.
CVE-2019-0021 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) On Juniper ATP, secret passphrase CLI inputs, such as "set mcm", are logged to /var/log/syslog in clear text, allowing authenticated local user to be able to view these secret information.
CVE-2019-0020 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Juniper ATP: Hard coded credentials used in Web Collector
CVE-2019-0022 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) Juniper ATP: Two hardcoded credentials sharing the same password give an attacker the ability to take control of any installation of the software.
CVE-2019-0025 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in RADIUS configuration menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
CVE-2019-0026 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in the Zone configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
CVE-2019-0029 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) On Juniper ATP, the Splunk credentials are logged in a file readable by authenticated local users. Using these credentials an attacker can access the Splunk server.
CVE-2019-0004 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) The API key and the device key are logged in a file readable by authenticated local users. These keys are used for performing critical operations on the WebUI interface.
CVE-2019-0024 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in the Email Collectors menu of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
CVE-2019-0027 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) A persistent cross-site scripting (XSS) vulnerability in the Snort Rules configuration of Juniper ATP may allow authenticated user to inject arbitrary script and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device.
Solution:
  • CVE-2019-0018, CVE-2019-0023, CVE-2019-0020, CVE-2019-0022, CVE-2019-0025, CVE-2019-0026, CVE-2019-0024, CVE-2019-0027, CVE-2017-11610

    The following software release have been updated to resolve this specific issue: 5.0.3 and all subsequent releases.

  • CVE-2019-0030

    The following software release have been updated to resolve this specific issue: 5.0.3 and all subsequent releases.

    It is suggested to change any credentials after the upgrade to the fixed version.

  • CVE-2019-0021

    The following software release have been updated to resolve this specific issue: 5.0.4 and all subsequent releases.

    It is also recommended to purge the affected log files and/or change the passphrase after the upgrade.

  • CVE-2019-0029

    The following software release have been updated to resolve this specific issue: 5.0.3 and all subsequent releases.

    It is suggested to change the Splunk credentials after the upgrade to the fixed version.

  • CVE-2019-0004

    The following software release have been updated to resolve this specific issue: 5.0.3 and all subsequent releases.

    It is also recommended to change the device key after the upgrade.

These issues are being tracked as PR 1365584, 1365614, 1365976, 1365987, 1365676, 1365592, 1365609, 1365617, 1365601, 1365691, 1365606, 1365605, 1365985 and 1366352 which are visible on the Customer Support website.

Workaround:

There are no known workarounds for this issue, however, limiting access to only trusted administrators from trusted administrative networks or hosts would minimize the risk.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
  • 2019-01-09: Initial Publication.
  • 2019-01-14: Update the CVSS score for CVE-2019-0029.
CVSS Score:
10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search