2019-04 Security Bulletin: Junos OS: Multiple FreeBSD vulnerabilities fixed in Junos OS.

  [JSA10937] Show Article Properties


Product Affected:
Junos OS
Problem:

Multiple vulnerabilities that affect FreeBSD have been fixed in Junos OS.

Most Juniper devices are deployed in a manner that will offer multiple layers of protection against successful exploit of these issues.

Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, which is required for successful exploitation of these vulnerabilities.

Junos OS can only execute code signed by Juniper (e.g. veriexec code-signing validation in Junos OS). This ensures that only code signed by Juniper can be executed on the device. Administrators can check whether veriexec is enforced by running the following command from the Junos OS shell:

% sysctl security.mac.veriexec.state

if veriexec is enforced, the output should be:

security.mac.veriexec.state: loaded active enforce

Additionally, on the platforms where veriexec is not enforced, the ability to load or execute code is limited only to privilege users.

Note: on older Junos OS versions, the above command might give a different result, on these releases the alternative command is:

/sbin/veriexec -i enforce

the exit status will be 0 (true) if it is being enforced.

If veriexec is enforced:

% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
%

if veriexec is not enforced:

% /sbin/veriexec -i enforce || echo "ERROR: veriexec not enforced"
ERROR: veriexec not enforced
%

The vulnerabilities fixed include:

CVE CVSS Summary
CVE-2018-3620 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis.
CVE-2018-3646 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N) Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis.
CVE-2018-6924 7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H) Insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory.
 

 

Solution:

CVE-2018-6924 has been resolved in Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X53-D237, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X9, 16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.2X75-D105, 17.3R3-S4, 17.4R1-S6, 17.4R2-S2, 17.4X5, 18.1R2-S4, 18.1R3-S3, 18.2X41, 18.2X5, 18.3R1-S2, 18.3R2, 18.4R1, 18.4X1 and all subsequent releases (PR 1387416).

CVE-2018-3620, CVE-2018-3646 have been resolved in Junos OS 17.4R1-S6, 17.4R2-S2, 17.4X5, 18.1R2-S4, 18.1R3-S3, 18.2X41, 18.2X5, 18.3R1-S2, 18.3R2, 18.4R1, 18.4X1 and all subsequent releases (PR 1381696)

These issues are being tracked as PR 1381696 and 1387416 which are visible on the Customer Support website.

Workaround:

Limiting access to critical infrastructure networking equipment to only trusted administrators from trusted administrative networks or hosts will prevent untrusted code execution, hence prevent exploitation of these vulnerabilities.

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
Modification History:
  • 2019-04-10: Initial Publication.

 

Related Links:
CVSS Score:
7.1 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."