2014-11 Security Bulletin: Network and Security Manager NSM Appliances: Multiple vulnerabilities
Product Affected:NSM3000 and NSMXpress Appliances with NSM release 2012.2
Problem:Third party software upgrades provided with NSM offline or online upgrade package v3 resolve the following vulnerabilities that affect NSM 2012.2 releases on NSM Appliances NSM3000 and NSMXpress: CVE CVSS v2 base score Summary CVE-2014-6271 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 CVE-2014-6277 CVE-2014-6278 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) Bash shell command injection vulnerability also known as “ShellShock”. See JSA10648 CVE-2014-2532 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) OpenSSH vulnerability that may allow remote attackers to bypass intended environment restrictions. CVE-2010-5107 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) OpenSSH default insecure configuration that can result in a denial of service condition. CVE-2010-4755 4.0 (AV:N/AC:L/Au:S/C:N/I:N/A:P) OpenSSH SFTP denial of service condition in due to crafted glob expressions. CVE-2011-5000 3.5 (AV:N/AC:M/Au:S/C:N/I:N/A:P) OpenSSH denial of service vulnerability related to GSS API. Note: NSM server software installed on generic Linux or Solaris servers may require OpenSSH fixes from server OS vendor.
Solution:Workaround:Use access lists or firewall filters to limit access to the NSM server only from trusted hosts.
Implementation:NSM Appliance Upgrade Package_v3 are available at http://www.juniper.net/support/downloads/?p=nsm#sw. Modification History: 2014-11-14: Initial publication.
Related Links: CVSS Score:5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Risk Assessment:Since ShellShock vulnerabilities were alerted in JSA10648, CVE-2014-2532 with CVSS score of 5.8 is used to determine the risk level associated with this advisory.