October 11, 2018

Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution

Tags: ,


DATE OF ISSUE:

October 10th, 2018

 

SUBJECT:

Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution

 

OVERVIEW:

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

 

SYSTEMS AFFECTED:

  • All products and platforms running Junos OS
  • ScreenOS 6.3.0 versions prior to 6.3.0r26
  • Junos Space Security Director prior to 17.2R1
  • Junos Space Network Management Platform prior to 18.2R1

Questions to determine your potential exposure:

 

1)      Is MPLS running on the device?

2)      Is IPv6 running on the device?

3)      Do you have SPACE running?

4)      Do you have an unprotected FXP0 port?

If the answer is no to these questions they most of the issues are not related.

 

There are a few other features that are exposed, this chart outlines the features to threat (sorted by CVE Number):

 

  • RPD – Error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. (CVE-2018-0050)
  • RSH – Unauthenticated remote root access possible when RSH service is enabled and PAM authentication is disabled. (CVE-2018-0052)
  • JWEB – Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. (CVE-2018-0062)

 

RISK

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium government entities: High
  • Small government entities: High

Home users: Low

 

 

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

 

  • Receipt of a specific MPLS packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. This issue can only be exploited from within the MPLS domain. (CVE-2018-0043)
  • An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty when the SSHD configuration has the PermitEmptyPasswords option set to “yes”. (CVE-2018-0044)
  • Receipt of a specific Draft-Rosen MVPN control packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. (CVE-2018-0045)
  • Multiple vulnerabilities have been resolved in the Junos Space Network Management Platform 18.2R1 release. (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2017-15906, CVE-2018-0046)
  • Cross-site scripting vulnerability in the UI framework used by Junos Space Security Director may allow authenticated users to inject persistent and malicious scripts. (CVE-2018-0047)
  • Memory exhaustion denial of service vulnerability in Routing Protocols Daemon (RPD) with JuniperExtension Toolkit (JET) support. (CVE-2018-0048)
  • NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash when processing a specially crafted malicious MPLS packet. A single packet received by the target victim will cause a Denial of Service condition. The packet must be received on an interface configured to receive this type of traffic. (CVE-2018-0049)
  • Error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. (CVE-2018-0050)
  • Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process when used in NAT or stateful firewall configurations with SIP ALG enabled. (CVE-2018-0051)
  • Unauthenticated remote root access possible when RSH service is enabled and PAM authentication is disabled. (CVE-2018-0052)
  • Authentication bypass vulnerability in the initial boot sequence of Juniper Networks Junos OS on vSRX Series may allow an attacker to gain full control of the system without authentication when the system is initially booted up. (CVE-2018-0053)
  • On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps. (CVE-2018-0054)
  • Receipt of a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment may result in a jdhcpd daemon crash. (CVE-2018-0055)
  • L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces when the l2-backhaul VPN is configured. (CVE-2018-0056)
  • Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50(Requested IP Address)  which could result in unauthorized information disclosure or denial of service for valid subscribers. (CVE-2018-0057)
  • In BBE configurations, receipt of a specially crafted IPv6 exception packet, Broadband Edge (BBE) client route, causes a Denial of Service. (CVE-2018-0058)
  • A persistent cross-site scripting vulnerability in the graphical user interface of ScreenOS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. (CVE-2018-0059)
  • An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself.    (CVE-2018-0060)
  • Denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance. (CVE-2018-0061)
  • Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. (CVE-2018-0062)
  • Multiple vulnerabilities in the ntpd (NTP daemon) of Juniper Products running Junos OS where the most severe of these vulnerabilities may allow arbitrary code execution. (CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183)
  • Vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. (CVE-2018-0063)

 

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

RECOMMENDATIONS:

Additionally, since these are published vulnerabilities (having an assigned CVE number) organizations can determine their exposure by scanning their Juniper systems and searching for these CVE’s via a vulnerability scan If you do not have the ability, or do not own a scan tool, Integration Partner’s can perform this scan as part of our Vulnerability Management service.

 

We recommend the following actions be taken if these vulnerabilities are found in your environment:

 

  • Apply appropriate patches provided by Juniper to vulnerable systems immediately after appropriate testing.
  • Disable all unnecessary services.
  • Restrict access to devices and applications from only authorized users and hosts.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

 

REFERENCES:

Juniper:

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10878&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10879&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10880&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10881&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10882&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10883&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10884&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10885&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10886&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10887&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10888&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10889&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10890&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10892&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10893&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10894&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10895&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10896&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10897&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10898&cat=SIRT_1&actp=LIST

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10899&cat=SIRT_1&actp=LIST

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0043

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0044

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0045

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0046

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0048

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0049

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0050

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0051

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0052

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0053

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0054

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0055

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0056

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0057

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0058

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0059

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0061

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0062

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0063

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185