Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2019-04 Security Bulletin: Junos OS: Multiple FreeBSD vulnerabilities fixed in Junos OS.

0

0

Article ID: JSA10937 SECURITY_ADVISORIES Last Updated: 12 Apr 2019Version: 4.0
Product Affected:
Junos OS
Problem:

Multiple vulnerabilities that affect FreeBSD have been fixed in Junos OS.

Most Juniper devices are deployed in a manner that will offer multiple layers of protection against successful exploit of these issues.

Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, which is required for successful exploitation of these vulnerabilities.

Junos OS can only execute code signed by Juniper (e.g. veriexec code-signing validation in Junos OS). This ensures that only code signed by Juniper can be executed on the device. Administrators can check whether veriexec is enforced by running the following command from the Junos OS shell:

% sysctl security.mac.veriexec.state

if veriexec is enforced, the output should be:

security.mac.veriexec.state: loaded active enforce

Additionally, on the platforms where veriexec is not enforced, the ability to load or execute code is limited only to privilege users.

Note: on older Junos OS versions, the above command might give a different result, on these releases the alternative command is:

/sbin/veriexec -i enforce

the exit status will be 0 (true) if it is being enforced.

If veriexec is enforced:

% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
%

if veriexec is not enforced:

% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
ERROR: veriexec not enforced
%

The vulnerabilities fixed include:

CVE CVSS Summary
CVE-2018-3620 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-3646 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
CVE-2018-6924 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) Insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory.
 

 

Solution:

CVE-2018-6924 has been resolved in Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X53-D237, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X9, 16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.2X75-D105, 17.3R3-S4, 17.4R1-S6, 17.4R2-S2, 17.4X5, 18.1R2-S4, 18.1R3-S3, 18.2X41, 18.2X5, 18.3R1-S2, 18.3R2, 18.4R1, 18.4X1 and all subsequent releases (PR 1387416).

CVE-2018-3620, CVE-2018-3646 have been resolved in Junos OS 17.4R1-S6, 17.4R2-S2, 17.4X5, 18.1R2-S4, 18.1R3-S3, 18.2X41, 18.2X5, 18.3R1-S2, 18.3R2, 18.4R1, 18.4X1 and all subsequent releases (PR 1381696)

These issues are being tracked as PR 1381696 and 1387416 which are visible on the Customer Support website.

Workaround:

Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, hence prevent exploitation of these vulnerabilities.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
  • 2019-04-10: Initial Publication.

 

CVSS Score:
7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search