2015-04 Security Bulletin: IDP: Multiple vulnerabilities addressed by third party software updates.
Product Affected:NetScreen IDP stand alone platforms running IDP OS 5.1 prior to 5.1r4.
Problem:IDP release 5.1r4 addresses vulnerabilities in prior releases with updated third party software. The following is a summary of vulnerabilities ordered by risk score: CVECVSS v2 base scoreSummaryCVE-2014-627110.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)Remote command injection vulnerability in Bash also known as Shellshock. See JSA10648.CVE-2010-44787.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSH authentication bypass vulnerability related to J-PAKE.CVE-2012-21317.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)OpenSSL Multiple buffer overflow vulnerabilities.CVE-2012-51957.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)Perl denial of service vulnerability.CVE-2009-35636.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)NTP Denial of service vulnerability.CVE-2011-05395.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)OpenSSH ssh-keygen insecure certificate generation vulnerability.CVE-2012-08143.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N)OpenSSH information leak vulnerability.
Solution:All these issues are resolved in IDP 5.1r4 (released 25 Feb 2015) or later releases.
Workaround:Limiting access to the device from only trusted hosts would help mitigate or reduce the risks of exposure to these issues.
Implementation:IDP Software Releases and Patches are available at https://www.juniper.net/support/downloads/ from the “Download Software” links. Modification History: 2015-04-08: Initial release.
Related Links: CVSS Score:7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Risk Assessment:Since ShellShock vulnerabilities were alerted in JSA10648, CVE-2014-4478 with CVSS score of 5.8 is used to determine the risk level associated with this advisory.