Product Affected:STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1, 2013.2, WinCollect Agent 7.0.0

Problem:Security Threat Response Manager is vulnerable to the following issues:CVE-2013-5448 A Cross Site Scripting (XSS) vulnerability in STRM software related to “Right Click Plugin” context menus for IP information may allow remote network based attackers to obtain sensitive information or perform administrative actions on STRM. This issue can only be exploited when the plugin menu is enabled (via ip_context_menu.xml file). This is not enabled by default. This vulnerability only affects Juniper STRM versions 2013.1 and 2013.2. CVE-2013-6307 A Cross site scripting vulnerability in STRM may allow remote network based attackers to obtain sensitive information or perform administrative actions on STRM. This issue only affects Juniper STRM versions 2010.0, 2012.0 and 2012.1. CVE-2013-5463 A vulnerability in WinCollect Agent 7.0.0 (WinCollect-7.0.0.382957) or prior versions may allow bypassing security protections by injecting malicious DLL or configuration into the agent, impacting the security of the host it is installed on. This issue only affects Windows hosts where the WinCollect Agent is installed. CVE-2014-0838 A vulnerability in the STRM AutoUpdate process could allow remote commands to be run on STRM devices with root privileges. This vulnerability can be exploited by carrying out man-in-the-middle (MITM) type of attacks to serve malicious updates or by changing STRM settings by the way of the cross-site request forgery (CVE-2014-0835) or cross-site scripting (CVE-2014-0836). These attacks depend on incorrect handling of SSL/TLS certificates (CVE-2014-0837) vulnerability described below. CVE-2014-0835 A Cross-Site Request Forgery (CSRF) vulnerability in STRM AutoUpdate settings page could allow a remote attacker to change the Auto Update settings of the STRM console. CVE-2014-0836 A Cross Site Scripting vulnerability in STRM software could allow a remote network based attacker to obtain sensitive information or perform administrative actions on STRM. CVE-2014-0837 The AutoUpdate process in STRM does not verify the validity of SSL/TLS certificates passed during the initiation of its secure communication. This could allow an attacker to spoof the AutoUpdate Server with no warning to the administrator.

Solution:CVE-2013-5448, CVE-2013-6307 are fixed in STRM 2013.2R5 Patch or later releases. CVE-2013-5463 is fixed by WINCOLLECT AGENT 7.1.2.613248 or later releases. CVE-2014-0838: An AutoUpdate pack to fix this vulnerability is available on https://download.juniper.net since February 12, 2014. To install this AutoUpdate package please perform the following steps: Open a new browser session ensuring that all other websites are closed. Navigate to the STRM Console IP and log into the system as an administrator. Open the ‘Admin’ Tab, and click the ‘Auto Update’ button under ‘System Configuration’. Once the Auto Update settings page appears click ‘Change Settings’ and click the ‘Advanced’ tab. Ensure that the ‘Web Server’ (default: https://download.juniper.net) and ‘Directory’ (default: software/strm/autoupdate/) are valid. Once the settings are verified, navigate to ‘Check for Updates’, and click on the ‘Get New Updates’ button. Wait while the Auto Update runs. You should see a notification once the update has been completed. To verify that the patch has been installed view the /var/log/qradar.log file and look for lines similar to the following:Feb 12 10:07:04 qradar AUTOUPDATE[4986]: Required version is 6.5 We are running 6.2Feb 12 10:07:04 qradar AUTOUPDATE[4986]: Restarting with version 6.5.Feb 12 10:08:02 qradar AUTOUPDATE[8694]: Autoupdate 6.5 initialized.Auto Update Version 6.5 or later have fixes for this vulnerability. This will fix all versions of STRM. Deployments that do not have direct internet access to https://download.juniper.net or manually maintain an internal AutoUpdate server may obtain Juniper STRM auto-update package from STRM software downloads page . ‘Juniper STRM auto-update’ package with file date 12 Feb 2014 or later (AutoUpdate 6.5 or later) has the fixes. CVE-2014-0835, CVE-2014-0836 and CVE-2014-0838 are fixed in STRM 2013.2R6 Patch, 2012.1R7 Patch or later releases. Fixes are pending for CVE-2014-0837. Please refer to Workaround section to mitigate this issue until fixes are available. This advisory would be updated when fixes are available. UPDATE: 25 Mar 2014 – Added solution for CVE-2013-5463, CVE-2014-0835, CVE-2014-0836 and CVE-2014-0838. UPDATE: 13 Feb 2014 – Added solution for CVE-2013-5448, CVE-2013-6307.

Workaround:To mitigate CVE-2013-5448 (XSS vulnerability) disable the IP Right Click Context Plugin by following the steps below. This is applicable to all versions of the product. Using SSH, log in to the STRM Console as the root user:  ssh <consoleip> Move the plugin xml file to a backup file.  mv /opt/qradar/conf/ip_context_menu.xml /opt/qradar/conf/ip_context_menu.xml.bak Restart tomcat  service tomcat restartAfter these steps have been completed, the plugin menu will be disabled and the system is no longer vulnerable to the XSS issue. Once the patch has been applied, the plugin menu can be enabled again. To mitigate CVE-2014-0838 (command execution vulnerability) automatic updates should be temporarily disabled until a fix can be applied. To mitigate CVE-2014-0835 (CSRF vulnerability) do not visit other webpages with the web browser that you are using to access STRM unless you are logged out of the STRM application. Verify that all settings are correct and as desired before deploying your configuration. To mitigate CVE-2013-6307 and CVE-2014-0836 (XSS vulnerability) do not launch the STRM application from links received in an e-mail or from other sources. Verify that all settings are correct and as desired before deploying a configuration. To mitigate CVE-2014-0837 (SSL/TLS validation) verify that all settings for the AutoUpdate are set correctly, and manually ensure that the site set as the update server is valid and trusted by opening the link in a browser or validating the IP address. There are no known workarounds for CVE-2013-5463 (WinCollect DDL injection) vulnerability.

Implementation:STRM software and fixes are available from STRM Software downloads page.

Related Links: CVSS Score:9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Risk Level:High

Risk Assessment:CVE-2014-0838, CVE-2013-5463 have a CVSSv2 base score of 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C). Rest of the issues have a CVSSv2 base score of 4.3 and Vector (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Acknowledgements:

Leave a Reply