Juniper Vulnerabilities

JSA10764 – 2016-10 Security Bulletin: Junos J-Web: Cross Site Scripting Vulnerability...

2016-10 Security Bulletin: Junos J-Web: Cross Site Scripting Vulnerability (CVE-2016-4923)Product Affected:This issue can affect any product or platform running Junos OS with J-Web enabled. Problem:Insufficient cross site scripting protection in J-Web ...

JSA10766 – 2016-10 Security Bulletin: vMX: Information leak vulnerability (CVE-2016-4924)

Product Affected:vMX (Virtual MX Series router)Problem: An incorrect permissions vulnerability in vMX may allow local unprivileged users on a host system read access to vMX or vPFE images and obtain sensitive information contained in them such as private cryptographic keys. This issue was found during internal product security testing. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. This issue has been assigned CVE-2016-4924. Solution:This issue has been resolved in vMX 14.1R8, 15.1F6, 16.1 and all subsequent releases.This issue is being tracked as PR 1129051 and is visible on the Customer Support website. Workaround:Limit access to only trusted users on the host machine where vMX is deployed. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, Service Releases are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release.

Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-10-12: Initial publication Related Links:CVSS Score:8.4 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) Risk Level:High Acknowledgements:

JSA10763 – 2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in...

2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-4922)Product Affected:These issues can affect any product or platform running Junos OS. Problem:Certain combinations of Junos OS CLI commands and arg...

JSA10767 – 2016-10 Security Bulletin: JUNOSe: Line Card Reset: processor...

2016-10 Security Bulletin: JUNOSe: Line Card Reset: processor exception 0x68616c74 (halt) task: scheduler, upon receipt of crafted IPv6 packet (CVE-2016-4925)Product Affected:This issue can affect all E Series routers running an affected release of JUNOSe with IPv6 enabled. Problem:Receipt of a specifically malformed IPv6 packet processed by the router may trigger a line card reset: processor exception 0x68616c74 (halt) in task: scheduler.  The stack trace will resemble: -> showCrashDump last reset: exception 0x68616c74 (halt) task: scheduler halter: scheduler halter PC: 0x8a48e8 halters arg: 0x19e9c28 pc: 0x6af77c: debugDisplay__2Ip +0x160 lr: 0x6af7d4: inetChecksum__FPUcUlUsb +0x40 dar: 0x00000000 cr: 0x42020042 xer: 0x20000000 fpcsr: 0x00000000 msr: 0x00009012 dsisr: 0x00000000 ctr: 0x00000000 The line card will reboot and recover without user interaction.  However, additional specifically malformed packets may cause follow-on line card resets and lead to an extended service outage.This issue only affects E Series routers with IPv6 licensed and enabled.  Routers not configured to process IPv6 traffic are unaffected by this vulnerability.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2016-4925. Solution:JUNOSe releases containing the fix specifically include: 10.3.3p0-15, 12.3.3p0-6, 13.3.3p0-1, 14.3.2, 15.1.0, and all subsequent releases.  Hotfixes are also available upon request.This issue is being tracked as CQ 97413 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:No known workaround exists for this issue. Implementation:How to obtain fixed software:Security vulnerabilities in JUNOSe are fixed in the next available Maintenance Release of each supported JUNOSe version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, JUNOSe patches are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and patch releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a patch release.

Although Juniper does not provide formal Release Note documentation for a patch release, a list of resolved defects are published via Patch Release Histories available on the download page.Modification History: 2016-10-12: Initial publication Related Links:CVSS Score:7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10762 – 2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability...

2016-10 Security Bulletin: Junos: IPv6 denial of service vulnerability due to resource exhaustion (CVE-2016-4921)Product Affected:This issue can affect any product or platform running Junos OS with IPv6 enabled. Problem:By flooding a router with specially crafted IPv6 traffic, all available resources can be consumed, leading to the inability to store next hop information for legitimate traffic.  In extreme cases, the crafted IPv6 traffic may result in a total resource exhaustion and kernel panic.  The issue is triggered by traffic destined to the router.  Transit traffic does not trigger the vulnerability.This issue only affects devices with IPv6 enabled and configured.

Devices not configured to process IPv6 traffic are unaffected by this vulnerability.This issue was found during internal product security testing.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue has been assigned CVE-2016-4921. Solution:The kernel panic (PR 1017099) has been addressed in Junos OS 11.4R13, 12.1X44-D45, 12.1X46-D30, 12.1X47-D20, 12.3R9, 13.3R5, and all software releases listed below.  However, a more complete IPv6 resource management improvement (PR 1037225) has addressed these resource exhaustion issues in the following software releases: 12.3X48-D30, 13.3R10*, 14.1R8, 14.1X53-D40, 14.2R6, 15.1F2-S5, 15.1F5-S2, 15.1F6, 15.1R3, 15.1X49-D40, 15.1X53-D70, 16.1R1, and all subsequent releases.The two fixes for this issue are being tracked as PRs 1037225 and 1017099 which are visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.*Available end of Q4/2016. Workaround:Limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via IPv6 only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, Service Releases are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release.

Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-10-12: Initial publication Related Links:CVSS Score:7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10759 – 2016-10 Security Bulletin: OpenSSL security updates

The ​OpenSSL project has published a set of security advisories for vulnerabilities resolved in the OpenSSL library in December 2015, March, May, June, August and September 2016.

The following is a summary of these vulnerabilities and their status with respect to Juniper products: CVE OpenSSL Severity Rating Summary CVE-2016-6309 Critical statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session. CVE-2016-0701 High The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file. CVE-2016-0703 High The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVE-2016-0800 High The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack. CVE-2016-2107 High The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session, NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169. CVE-2016-2108 High The ASN.1 implementation in OpenSSL before 1.0.1o and 1.0.2 before 1.0.2c allows remote attackers to execute arbitrary code or cause a denial of service (buffer underflow and memory corruption) via an ANY field in crafted serialized data, aka the "negative zero" issue. CVE-2016-6304 High Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. CVE-2015-3193 Moderate The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite. CVE-2015-3194 Moderate crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. CVE-2015-3195 Moderate The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. CVE-2016-0704 Moderate An oracle protection mechanism in the get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800. CVE-2016-6305 Moderate The ssl3_read_bytes function in record/rec_layer_s3.c in OpenSSL 1.1.0 before 1.1.0a allows remote attackers to cause a denial of service (infinite loop) by triggering a zero-length record in an SSL_peek call. CVE-2016-7052 Moderate crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. CVE-2015-1794 Low The ssl3_get_key_exchange function in ssl/s3_clnt.c in OpenSSL 1.0.2 before 1.0.2e allows remote servers to cause a denial of service (segmentation fault) via a zero p value in an anonymous Diffie-Hellman (DH) ServerKeyExchange message. CVE-2015-3196 Low ssl/s3_clnt.c in OpenSSL 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1p, and 1.0.2 before 1.0.2d, when used for a multi-threaded client, writes the PSK identity hint to an incorrect data structure, which allows remote servers to cause a denial of service (race condition and double free) via a crafted ServerKeyExchange message. CVE-2015-3197 Low ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions. CVE-2016-0702 Low The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a "CacheBleed" attack. CVE-2016-0705 Low Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. CVE-2016-0797 Low Multiple integer overflows in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allow remote attackers to cause a denial of service (heap memory corruption or NULL pointer dereference) or possibly have unspecified other impact via a long digit string that is mishandled by the (1) BN_dec2bn or (2) BN_hex2bn function, related to crypto/bn/bn.h and crypto/bn/bn_print.c. CVE-2016-0798 Low Memory leak in the SRP_VBASE_get_by_user implementation in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory consumption) by providing an invalid username in a connection attempt, related to apps/s_server.c and crypto/srp/srp_vfy.c. CVE-2016-0799 Low The fmtstr function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g improperly calculates string lengths, which allows remote attackers to cause a denial of service (overflow and out-of-bounds read) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-2842. CVE-2016-2105 Low Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. CVE-2016-2106 Low Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. CVE-2016-2109 Low The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in the ASN.1 BIO implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (memory consumption) via a short invalid encoding. CVE-2016-2176 Low The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data. CVE-2016-2182 Low The BN_bn2dec function in crypto/bn/bn_print.c in OpenSSL before 1.1.0 does not properly validate division results, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-6303 Low Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors. CVE-2016-2179 Low The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. CVE-2016-2180 Low The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. CVE-2016-2181 Low The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. CVE-2016-6302 Low The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. CVE-2016-2177 Low OpenSSL through 1.0.2h incorrectly uses pointer arithmetic for heap-buffer boundary checks, which might allow remote attackers to cause a denial of service (integer overflow and application crash) or possibly have unspecified other impact by leveraging unexpected malloc behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c. CVE-2016-2178 Low The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. CVE-2016-6306 Low The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. CVE-2016-6307 Low The state-machine implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted TLS messages, related to statem/statem.c and statem/statem_lib.c. CVE-2016-6308 Low statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages. CVE-2016-2176 is a vulnerability that only affects EBCDIC systems. No Juniper products are affected by this vulnerability. Affected Products: Junos OS: Junos OS is potentially affected by many of these issues. Junos OS is not affected by CVE-2016-0701, CVE-2016-0800, CVE-2016-2107, CVE-2016-2176, CVE-2016-2179, CVE-2016-2181, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. ScreenOS: ScreenOS is potentially affected by many of these issues.
ScreenOS is not affected by CVE-2015-1794, CVE-2015-3193, CVE-2015-3194, CVE-2015-3196, CVE-2015-3197, CVE-2016-0701, CVE-2016-2107, CVE-2016-2109, CVE-2016-2179, CVE-2016-2181, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Junos Space: Junos Space is potentially affected by many of these issues. Junos Space is not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. NSM: NSM is potentially affected by many of these issues. NSM is not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Juniper Secure Analytics (JSA, STRM): STRM, JSA series is potentially affected by these issues. CTPView/CTPOS: CTPView and CTPOS are potentially affected by many these issues.

CTPView and CTPOS are not affected by CVE-2015-1794, CVE-2016-0705, CVE-2016-0798, CVE-2016-2176, CVE-2015-3193, CVE-2015-3196, CVE-2016-0701, CVE-2016-2107, CVE-2016-6305, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309 and CVE-2016-7052. Junos OS: OpenSSL December 2015 advisory: CVE-2015-3193, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196 and CVE-2015-1794 are resolved in 12.1X44-D60, 12.1X46-D45, 12.1X46-D51, 12.1X47-D35, 12.3R12, 12.3R13, 12.3X48-D25, 13.2X51-D40, 13.3R9, 14.1R7, 14.1X53-D35, 14.2R6, 15.1F5, 15.1R3, 15.1X49-D40, 15.1X53-D35, 16.1R1 and all subsequent releases (PR 1144520). OpenSSL March 2016 advisory: CVE-2016-0705, CVE-2016-0798, CVE-2016-0797, CVE-2016-0799, CVE-2016-0702, CVE-2016-0703 and CVE-2016-0704 are resolved in 13.3R10*, 14.1R8, 14.1X53-D40*, 14.2R7, 15.1F5-S4, 15.1F6, 15.1R4, 15.1X49-D60, 15.1X53-D50, 16.1R1 and all subsequent releases (PR 1165523, 1165570). OpenSSL May 2016 advisory: CVE-2016-2105, CVE-2016-2106, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-2180 are resolved in 13.3R10*, 14.1R9*, 14.1X53-D40*, 14.2R8*, 15.1F5-S4, 15.1F6-S2, 15.1R4, 15.1X53-D50, 15.1X53-D60, 16.1R1 and all subsequent releases.

Fixes are in progress for other supported Junos releases (PR 1180391). OpenSSL June to September 2016 advisories: CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052 are resolved in 13.3R10*, 14.1R9*, 14.2R8*, 15.1R5*, 16.1R4* and all subsequent releases.

Fixes are in progress for other supported Junos releases (PR 1216923). CVE-2016-2108 was resolved when fixes for OpenSSL Advisories in June and July 2015 were implemented in Junos.

At that time OpenSSL version was upgraded to 1.0.1p in Junos 13.3 and later releases which included a fix for this issue. Please see JSA10694​ for solution releases. Note: * - These Junos releases are pending release at the time of publication. Note: While Junos is not affected or impacted by certain CVEs, fixes for those get included with the relevant OpenSSL version upgrade. Hence these are stated as resolved. ScreenOS: CVE-2015-3195 is resolved in 6.3.0r22.

This issue is being tracked as PR 1144749. Please see JSA10733 further details. Rest of the applicable issues in OpenSSL advisories until May 2016 in have been resolved in ScreenOS 6.3.0r23.

These issues are being tracked as PRs 1180504 and 1165796. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1217005. Junos Space: OpenSSL software has been upgraded to 1.0.1t in Junos Space 16.1R1 (pending release) to resolve all the issues included in OpenSSL advisories until May 2016.

These issues are being tracked as PRs 1144741, 1158268, 1165853, 1180505, 1212590. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1216998. NSM: OpenSSL software has been upgraded to 1.0.2h in NSM 2012.2R13 to resolve all the issues included in OpenSSL advisories until May 2016.

This upgrade is being tracked as PR 1198397. Fixes for issues in OpenSSL advisories from June to September are being tracked as PR 1217003. Juniper Secure Analytics (JSA, STRM): OpenSSL December 2015 and March 2016 advisories: CVE-2015-3194, CVE-2015-3195, CVE-2015-3196, CVE-2015-1794, CVE-2015-3193, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799 and CVE-2016-0800 have been resolved in 2014.6.R4.A resolution for other issues is pending release.These issues are being tracked as PR 1151137, 1165861. CTPView CVE-2015-3194 and CVE-2015-3195 have been resolved in 7.1R3, 7.2R1 and all subsequent releases (PR 1144746). CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0800 have been resolved in 7.1R3, 7.2R2, 7.3R1 and all subsequent releases (PR 1165849). CTPOS CVE-2015-3194 and CVE-2015-3195 have been resolved in 7.2R1 and all subsequent releases (PR 1144964). CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0797, CVE-2016-0799 and CVE-2016-0800 have been resolved in 7.0R7, 7.1R3, 7.2R2, 7.3R1 and all subsequent releases (PR 1165847). Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks. Junos OS Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks ScreenOS Methods to reduce the risk associated with this issue include: Limit access to SSL ports to only trusted hosts. Disabling web administrative services will mitigate the risk of this issue:unset int eth0/0 manage web Refer to KB6713 for enabling SSH on the firewall. General Mitigation It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the HTTPS or SSL/TLS services only from trusted, administrative networks or hosts.

JSA10753 – 2016-07 Security Bulletin: SRX Series: Upgrades using 'partition' option...

2016-07 Security Bulletin: SRX Series: Upgrades using 'partition' option may allow unauthenticated root login (CVE-2016-1278)Product Affected:This issue can affect any SRX Series devices upgraded using the 'partition' option. Problem:Using the 'request system software' command with the 'partition' option on an SRX Series device upgrading from Junos OS 12.1X45 or 12.1X46 prior to D50 can leave the system in a state where root CLI login is allowed without a password due to the system reverting to a "safe mode" authentication triggered by the failed upgrade. Additionally, valid authentication credentials fail to work due to the same issue.  Only root with no password will work.This issue can affect SRX Series devices upgraded from Junos OS 12.1X45 (all releases) or 12.1X46 releases prior to those listed as Resolved below. No other platform or version of Junos OS is affected by this vulnerability, and no other Juniper Networks products or platforms are affected by this issue.Note: The issue exists with the 'partition' option of 'request system software' executed on the release from which the upgrade is being performed.  Upgrading from an affected release to a fixed release will not resolve this issue.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue has been assigned CVE-2016-1278. Solution:The following software releases have been updated to resolve this specific upgrade issue: Junos OS 12.1X46-D50 and all subsequent releases.  Upgrading from these releases will no longer exhibit the vulnerability.  However, simply upgrading to a fixed release will not recover authenticated login credentials.This issue is being tracked as PRs 1118748 and 1153914 which are visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Avoid using the 'partition' option when upgrading an SRX Series device to Junos OS 12.1X46 prior to 12.1X46-D50.Note that the symptoms are immediately obvious after an affected upgrade and may be remediated by rebooting the device post-upgrade. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, Service Releases are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release.

Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication2016-08-17: Clarified that the issue affects the from release, and cannot be resolved by simply upgrading to a fixed release. Related Links:CVSS Score:7.8 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10758 – 2016-07 Security Bulletin: Junos: Crafted UDP packet can lead...

2016-07 Security Bulletin: Junos: Crafted UDP packet can lead to kernel crash on 64-bit platforms (CVE-2016-1263)Product Affected:This issue can affect any product or platform running 64-bit Junos OS Problem:Receipt of a specifically crafted UDP packet destined to an interface IP address of a Junos OS device with a 64-bit platform may result in a kernel crash.  This issue only affects systems running 64-bit Junos OS on a 64-bit routing engine (RE).  32-bit systems are unaffected by this vulnerability.According to KB25803, customers can confirm 64-bit Junos OS software via the 'show version detail' command: user@JUNOS> show version detail | match 64 JUNOS 64-bit Kernel Software Suite [14.1R7.4] JUNOS 64-bit Runtime Software Suite [14.1R7.4] Note: All SRX Series services gateways currently utilize 32-bit Junos OS for routing engine processing and are therefore not vulnerable to this issue.Only packets able to reach the RE through existing edge and control plane firewall filters, destined to the device itself, can trigger this issue.  Junos OS is not vulnerable to transit UDP traffic.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2016-1263. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D45, 12.1X46-D51, 12.1X47-D35, 12.3X48-D30, 13.3R9-S1, 13.3R10, 14.1R7, 14.2R6, 15.1F2-S5, 15.1F4-S2, 15.1F5, 15.1R2-S3, 15.1R3, 15.1X49-D40, and all subsequent releases.Note: Junos OS 12.1X46-D50 does not have this fix!This issue is being tracked as PR 1142939 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device via UDP only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication2016-07-14: Added method of confirming 64-bit RE2016-07-15: Noted that all SRX Series devices currently utilize 32-bit Junos OS Related Links:CVSS Score:7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10752 – 2016-07 Security Bulletin: Junos: Kernel crash with crafted ICMP...

2016-07 Security Bulletin: Junos: Kernel crash with crafted ICMP packet (CVE-2016-1277)Product Affected:This issue can affect any product or platform running Junos OS configured with a GRE or IPIP tunnel. Problem:On Junos devices with a GRE or IPIP tunnel configured (i.e., devices with a gr- or ip- interface), a specifically crafted ICMP packet can cause a kernel panic resulting in a denial of service condition.Knowledge of network specific information is required to craft such an ICMP packet. Receipt of such a packet on any interface on the device can cause a crash.Devices that do not have any gr- or ip- interfaces are unaffected by this issue.This issue only affects IPv4.  IPv6 is unaffected by this issue.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2016-1277. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D50, 12.1X47-D40, 12.3X48-D30, 13.3R9, 14.1R8, 14.1X53-D40, 14.2R6, 15.1F6, 15.1R3, 15.1X49-D40 and all subsequent releases.This issue is being tracked as PR 1159454 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Use access lists or firewall filters to limit access to the router via ICMP only from trusted hosts.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit all administrative access to the router only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication2016-07-18: IPv6 unaffected note added. Related Links:CVSS Score:5.9 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10751 – 2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALG’s...

2016-07 Security Bulletin: SRX Series: On High-End SRX-Series, ALG’s applied to in-transit traffic may trigger high CP (central point) utilization leading to denial of services. (CVE-2016-1276)Product Affected:This issue affects both standalone or cluster mode configurations with different denial of service permutations on High-End SRX-Series chassis. Problem:When High-End SRX-Series chassis have policies with one or more ALG’s (application layer gateways) enabled, which are applied to in-transit traffic, this may trigger a number of failure conditions which could cause various types of denials of service to traffic in-transit.Continued in-transit traffic matching ALG rules can create a sustained denial of service.This issue affects both standalone or cluster mode configurations with different denial of service permutations.Standalone: In standalone HE chassis deployments, existing sessions will function normally, new session establishment due to high CP utilization may cause new sessions to not establish. Cluster:  In cluster HE chassis deployments, the fab link between chassis may be unable to sustain communication causing the backup to go ineligible due to fab link failure. New sessions setups due to high CP utilization may be unable to be established. The primary chassis processing LACP communication may lose LACP links triggering failover conditions which could create sustained flip-flop failovers between each chassis, including possible line card reboots, leading to long term denials of service. This issue only affects devices when one, some, many and/or all ALG's are enabled and traffic conditions match triggering any ALG.  See KB25546 for the ALG list.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2016-1276. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X46-D50, 12.1X47-D23, 12.1X47-D35, 12.3X48-D25, 15.1X49-D40 and subsequent releases.This issue is being tracked as PR 1150971 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:The following workarounds may be used to mitigate, reduce or resolve the risk of the problem from occuring: Disabling all ALG's will mitigate the issue until such time that an upgrade can be performed on the chassis. Breaking cluster nodes if present and operating standalone High End SRX-Series Service Gateways in parallel while also distributing traffic equally between both standalone devices may reduce the number of high CP utilization on each chassis and may mitigate the risk of line card reboots. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication2016-07-22: Added language that any and all ALG's are impacted by this JSA. Related Links:CVSS Score:7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Risk Level:High Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements:

JSA10755 – 2016-07 Security Bulletin: Junos: Self-signed certificate with spoofed trusted...

2016-07 Security Bulletin: Junos: Self-signed certificate with spoofed trusted Issuer CN accepted as valid (CVE-2016-1280)Product Affected:This issue can affect any product or platform running Junos OS Problem:Junos OS runs PKId for certificate validation. When a peer device presents a self-signed certificate as its end entity certificate with its issuer name matching one of the valid CA certificates enrolled in Junos, the peer certificate validation is skipped and the peer certificate is treated as valid. This may allow an attacker to generate a specially crafted self-signed certificate and bypass certificate validation.This issue only affects certificates used for IKE/IPsec.  Other public key-based authentication is unaffected by this vulnerability.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2016-1280. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D52, 12.1X44-D55, 12.1X46-D37, 12.1X46-D40, 12.1X47-D30, 12.3R12, 12.3X48-D20, 13.3R10, 14.1R8, 14.1X53-D40*, 14.2R7, 15.1R4, 15.1X49-D20, 15.1X53-D60*, 16.1R1, and all subsequent releases.*Available Q3/2016This issue is being tracked as PR 1096758 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Configure all PKI-VPN tunnels to accept only Distinguished Name (DN) as the remote peer’s IKE ID.Example for SRX devices:The SRX can match the DN by exact string, or a wildcard string. If a wildcard string is used, it must not match any of its trusted CA’s Subject name.One of the following four options can be used: set security ike gateway <peer name> dynamic distinguished-name container <peer certificate's subject string> set security ike gateway <peer name> dynamic distinguished-name wildcard <wildcard string> set security ike gateway <peer name> remote-identity distinguished-name container <peer certificate's subject string> set security ike gateway <peer name> remote-identity distinguished-name wildcard <wildcard string> Note: The remote peer’s tunnel must also be reconfigured to identify itself using its DN as the IKE ID. For SRX devices, the config statement is: set security ike gateway <peer name> local-identity distinguished-name Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication2016-07-15: Removed mitigation of disallowing usage of self-signed certificates for IKE/IPsec authentication Related Links:CVSS Score:6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10756 – 2016-07 Security Bulletin: Junos: FreeBSD-SA-09:07.libc – Information leak in...

This issue may affect any product or platform running Junos OS 8.5 or later.On April 22nd, 2009 FreeBSD announced that the db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file.This announcement leaves a gap in the affected version detail of the advisory, as it states "All supported versions of FreeBSD." which were 6.3 to 7.2-PRERELEASE at that time.  It does not indicate if the issue affects earlier versions or not.Junos OS operates on either FreeBSD 6.1 and earlier, or FreeBSD 10.1 and later depending on the version of Junos OS.More than one version of the underlying FreeBSD system is supported on some versions of Junos OS. e.g. Junos OS 15.1R1 and later introduces the option for upgrading the underlying FreeBSD 6.1 system to FreeBSD 10.1.  Additionally, some customers may operate on Junos OS 15.1R1, while retaining the underlying FreeBSD 6.1 system; some customers in certain countries may only operate Junos OS 15.1R1 and later using FreeBSD 6.1.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.To proactively mitigate against the risk indicated in the FreeBSD advisory, Juniper resolved the underlying problem in Junos OS based on FreeBSD 6.1 as well as FreeBSD 10.1.The following software releases have been updated to resolve this specific issue: 12.1X44-D55 12.1X46-D40 12.1X47-D25 12.3X48-D20 12.3X50-D50 12.3R11 13.2X51-D40 13.2X52-D30 13.2R8 13.3R7 14.1X53-D30 14.1R6 14.2R4 15.1X49-D10 15.1X49-D20 15.1R2 15.1F3 and subsequent releases.This issue is being tracked as PR 442580 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.Limit access to the device to only trusted hosts and administrators.How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2016-07-13: Initial publication Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."