Juniper Vulnerabilities

JSA10702 – 2015-10 Security Bulletin: QFabric 3100 Director: CUPS printing system...

​QFabric 3100 Director version 12.x and earlier. ​A remote attacker can carry out a chained XSS attack against the QFabric 3100 Director version(s) 12.x and lower through an authenticated user's web browser and subsequently gain complete control of the QFabric 3100 Director host-OS.This issue is assigned CVE-2015-1158 and CVE-2015-1159. The following software releases have been updated to resolve this specific issue: This issue is resolved in Junos OS higher than 12.x on the QFabric 3100 Director. 12.x and prior versions should manually remove the CUPS system by following the workaround section.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue is being tracked as PR 1086957 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​In order to stop CUPS, execute the following from the linux shell of the QFabric 3100 Director in each QFabric 3100 Director node for each Director Group in a deployment. 1. service cups stop 2. chkconfig —del cups 3. rm -rf /etc/init.d/cups Additionally, administrative systems used to authenticate to the QFabric 3100 Director should be protected from casual web browsing to sites that could inject XSS/XEE/CSRF attacks against administrative systems.How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2015-10-14: Initial publication Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"

JSA10693 – 2015-07 Security Bulletin: Buffer overflow vulnerability in QEMU component...

2015-07 Security Bulletin: Buffer overflow vulnerability in QEMU component of the KVM/QEMU and Xen hypervisors (CVE-2015-3456) aka VENOM Product Affected:EX and QFX Series devices with virtualization support; specifically EX4600, QFX5100, and QFX10002. Problem:In products utilizing virtualization technologies, a buffer overflow vulnerability in QEMU component of the KVM/QEMU and Xen hypervisors may allow privileged guest users such as an administrative user in a virtual machine to crash the guest OS. This issue may potentially allow execution of arbitrary code on the host OS. If an untrusted VM is being run it may lead to complete compromise of the host machine and other VMs.This vulnerability is named 'VENOM' and assigned CVE-2015-3456. Juniper SIRT is not aware of any malicious exploitation of this vulnerability on Juniper products. The following Juniper products make use of affected virtualization technologies: EX Series device EX4600QFX Series devices QFX5100 and QFX10002The following Juniper products are not vulnerable: EX and QFX series devices not listed above are not vulnerable.Virtual Route Reflector is not vulnerable.QFabric Director is not vulnerable.Junos Space is not vulnerable: While Junos Space includes a vulnerable version of QEMU, it does not permit root access in a guest OS and hence not impacted by this issue. QEMU will be updated in the next possible release as a precaution.Products that do not include any virtualization technologies like SRX Series and ScreenOS are not affected by this vulnerability. Solution:EX and QFX SeriesThis issue is resolved in Junos OS 13.2X51-D40 (pending release) and Junos OS 14.1X53-D30 (pending release), and all subsequent releases. Workaround:Since successful exploitation requires root privileges in a virtual machine, restricting administrative access to virtual machines to trusted administrators and not running untrusted virtual machines should help in reducing the risks of exploitation of this issue. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-07-08: Initial publication Related Links: CVSS Score:CVSSv2: 6.6 (AV:L/AC:L/Au:S/C:C/I:C/A:C) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10656 – 2014-10 Out of Cycle Security Bulletin: Multiple products affected...

Various products. Please see the list in the Problem section below. The SSL protocol 3.0 uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.  This issue is also known as the "POODLE" vulnerability.SSL v3 is an older security protocol with known issues, but still exists as a fallback protocol on many devices. Vulnerable Products Junos OS Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series ScreenOS Junos Space Juniper is investigating our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated. This issue has been assigned CVE-2014-3566.Junos:Junos OS will include an update to OpenSSL in a future release.Connect Secure (SA / SSL VPN) / Policy Secure (IC / UAC), MAG Series:Please refer to Pulse Secure TSB16540 for details on mitigating risk from this vulnerability.ScreenOS:A problem report has been submitted.  Development is in the process of evaluating the best method to resolve this issue.Junos Space:Disable SSLv3 by changing the chaining the following files. /etc/httpd/conf.d/webProxy.conf /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/webConf/webProxyCertAuth.conf The following line needs to be updated to remove references to SSLv3:Original:SSLProtocol -ALL +SSLv3 +TLSv1Updated:SSLProtocol -ALL +TLSv1Restart httpd by typing 'service httpd restart'.Junos:Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:Disabling J-WebDisable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changesLimit access to J-Web and XNM-SSL from only trusted networks

JSA10733 – 2016-04 Security Bulletin: ScreenOS: Multiple Vulnerabilities in OpenSSL

Product Affected:These issues can affect any product or platform running ScreenOS prior to 6.3.0r22Problem:Following vulnerabilities in OpenSSL software included with ScreenOS have been addressed in ScreenOS 6.3.0 r22: CVE CVSS v2 base score Summary CVE-2015-1791 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL that can cause a denial of service. CVE-2015-1790 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL allows remote attackers to cause a denial of service via a crafted PKCS#7 blob. CVE-2015-1789 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL allows remote attackers to cause a denial of service via a crafted length field in ASN1_TIME data. CVE-2015-3195 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) The ASN1_TFLG_COMBINE implementation in OpenSSL mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application. Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities. Solution:The following software releases have been updated to resolve this specific issue: ScreenOS 6.3.0 r22 (released April 6, 2016) and all subsequent releases.These issues are being tracked as PR 1100194 and 1144749 and are visible on the Customer Support website. Workaround:There are no known workarounds for these issues. Implementation: How to obtain fixed software:Software release Service Packages are available at http://support.juniper.net from the "Download Software" links.
Select your appropriate Selected Products, or browse by Series or Technology, once you find the appropriate fixed version(s) for your needed platform download and apply the updated version(s) of choice. Modification History: 2016-04-13: Initial publication Related Links:CVSS Score:5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Risk Level:Medium Risk Assessment:The CVSS risk score has been determined for the worst case impact of these issues on ScreenOS. Acknowledgements:

JSA10676 – 2015-04 Security Bulletin: SRX Series: ISC BIND vulnerability denial...

2015-04 Security Bulletin: SRX Series: ISC BIND vulnerability denial of service in delegation handling (CVE-2014-8500) Product Affected:This issue affects all SRX Series devices running Junos OS 12.1X44, 12.1X46, 12.1X47 Problem:ISC BIND software included with Junos for SRX series devices is affected by CVE-2014-8500. This may allow a network based attacker to cause a denial of service condition on SRX devices. This issue only affects SRX devices where "set system services dns dns-proxy" has been configured. This is not enabled by default on SRX devices.This issue does not affect other Junos OS based devices as they do not have BIND DNS server feature. Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue has been assigned CVE-2014-8500. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50 (pending release) 12.1X46-D35 (pending release) 12.1X47-D25 (pending release) 12.3X48-D10 and all subsequent releases.This issue is being tracked as PR 1048628 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:There are no known workarounds. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-04-08: Initial release. Related Links: CVSS Score:4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Risk Level:Low Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories. Acknowledgements:

JSA10749 – IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability...

This issue may affect any product or platform running Junos OS.A vulnerability in IPv6 processing has been discovered that may allow a specially crafted IPv6 Neighbor Discovery (ND) packet to be accepted by the router rather than discarded.  The crafted packet, destined to the router, will then be processed by the routing engine (RE).  A malicious network-based packet flood, sourced from beyond the local broadcast domain, can cause the RE CPU to spike, or cause the DDoS protection ARP protocol group policer to engage. When this happens, the DDoS policer may start dropping legitimate IPv6 neighbors as legitimate ND times out.Note that this is similar to the router's response to any purposeful malicious IPv6 ND flood destined to the router.

The difference is that the crafted packet identified in the vulnerability is such that the forwarding controllers/ASICs should disallow this traffic from reaching the RE for further processing.

Additionally, due to the routable nature of the crafted IPv6 ND packet, the attack may be launched from beyond the local broadcast domain.This issue has been assigned CVE-2016-1409.Internal investigation has uncovered three separate issues with IPv6 Neighbor Discovery processing in Junos:  QFX5100 exceptions transit IPv6 ND traffic to RE ​PR 1183115 logged to resolve this issue in a future release. Junos routers forward IPv6 ND traffic in violation of RFC4861 PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX) logged to investigate this issue. Junos routers fail to discard non-RFC4861-compliant IPv6 ND traffic destined to the router (CVE-2016-1409) PRs 1183124 (QFX), 1188939 (MX), 1188949 (PTX) Note that only MX, PTX, and QFX have been confirmed to experience this behavior.  Other platforms are still under investigation.Juniper Networks will update this advisory once fixes are available.Refer to KB16613 for additional information about the Juniper Networks SIRT Quarterly Security Bulletin Publication Process."While no complete workaround currently exists for this issue, especially for adjacent network attacks from the local broadcast domain, security best current practices (BCPs) of filtering all ND traffic at the edge, destined to network infrastructure equipment, should be employed to limit the malicious attack surface of the vulnerability.  Examples include:Interface and/or control plane firewall filters may be used to stop propagation of NDP traffic beyond connected devices.

Devices that support the hop-limit option can utilize the following interface filter design: user@junos# show firewall family inet6 NDP filter NDP { term PERMIT_LOCAL_ICMP { from { next-header icmp6; hop-limit 255; } then { count PERMIT_LOCAL_ICMP; accept; } } term REJECT_NETWORK_ICMP { from { next-header icmpv6; icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ]; } then { count REJECT_NETWORK_ICMP; discard; } } term PERMIT_ALL { then accept; } } Sample Protect_RE filter: user@junos# show firewall family inet6 IPV6_PROTECT_RE filter IPV6_PROTECT_RE { term ICMPV6_TRUSTED { from { source-prefix-list { IPV6_REMOTE_ACCESS; } next-header icmpv6; } then accept; } term IPV6_ND_LOCAL { from { next-header icmpv6; hop-limit 255; } then accept; } term ICMPV6 { from { next-header icmpv6; icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ]; } then accept; } }​ Devices that do not support the 'hop-limit' option will require a slightly more complicated interface filter design: user@junos# show firewall family inet6 NDP filter NDP { term PERMIT_VALID_ICMP { from { destination-address { fe80::/10; ff02::/123; ff02:0:0:0:0:1:ff00::/104; } } then { count PERMIT_VALID_ICMP; accept; } } term PERMIT_VALID_ICMP_LOCAL { from { source-address { x:x:x:x::/64; } destination-address { x:x:x:x::/64; } next-header icmp6; } then { count PERMIT_VALID_ICMP_LOCAL; accept; } } term REJECT_INVALID_ICMP { from { next-header icmpv6; icmp-type [ neighbor-advertisement neighbor-solicit router-solicit router-advertisement redirect ]; } then { count REJECT_INVALID_ICMP; discard; } } } and Protect_RE filter design:​ user@junos# show firewall family inet6 IPV6_PROTECT_RE filter IPV6_PROTECT_RE { term ICMPV6_TRUSTED { from { source-prefix-list { IPV6_REMOTE_ACCESS; } next-header icmpv6; } then accept; } term IPV6_ND { from { destination-address { fe80::/10; ff02::/123; ff02:0:0:0:0:1:ff00::/104; } } then accept; } term IPV6_ND_LOCAL { from { source-address { x:x:x:x::/64; } destination-address { x:x:x:x::/64; } next-header icmp6; } then accept; } term ICMPV6 { from { next-header icmpv6; icmp-type [ echo-request echo-reply time-exceeded destination-unreachable packet-too-big parameter-problem ]; } then accept; } term OTHER { then { count DROP; discard; } } } Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10694 – 2015-10 Security Bulletin: Junos: OpenSSL June-July 2015 advisories

The ​OpenSSL project has published a set of security advisories for vulnerabilities resolved in the OpenSSL library in June and July 2015: CVE CVSS v2* base score Summary CVE-2015-1791 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Race condition in the ssl3_get_new_session_ticket function in ssl/s3_clnt.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b, when used for a multi-threaded client, allows remote attackers to cause a denial of service (double free and application crash) or possibly have unspecified other impact by providing a NewSessionTicket during an attempt to reuse a ticket that had been obtained earlier. CVE-2015-1793 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)​ An error in the implementation of the alternative certificate chain logic could allow an attacker to cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate.​ CVE-2015-1790 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The PKCS7_dataDecodefunction in crypto/pkcs7/pk7_doit.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a PKCS#7 blob that uses ASN.1 encoding and lacks inner EncryptedContent data. CVE-2015-1792 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The do_free_upto function in crypto/cms/cms_smime.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (infinite loop) via vectors that trigger a NULL value of a BIO data structure, as demonstrated by an unrecognized X.660 OID for a hash function. CVE-2015-1788 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication. CVE-2015-1789 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) The X509_cmp_time function in crypto/x509/x509_vfy.c in OpenSSL before 0.9.8zg, 1.0.0 before 1.0.0s, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted length field in ASN1_TIME data, as demonstrated by an attack against a server that supports client authentication with a custom verification callback. *CVSS v2 scores provided for backward compatibility with NVD.Junos OS is affected by one or more of these vulnerabilities.  Note that CVE-2014-8176 was also included in an OpenSSL advisory, but no Juniper products use DTLS for communication. ​The following software releases have been​ updated to resolve this specific issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25​, 12.3R11, 12.3X48-D20, 13.2X51-D40, 13.3R7, 14.1R6, 14.2R4, 15.1R2, 15.1X49-D20​, and all subsequent releases.OpenSSL library has been upgraded to 0.9.8zg in Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25​, 12.3R11, 12.3X48-D20, 13.2X51-D40 and subsequent releases.OpenSSL library has been upgraded to 1.0.1p in Junos OS 12.1X46-D55, 12.1X47-D45, 12.3X48-D30, 13.3R7, 14.1R6, 14.2R4, 15.1R2, 15.1X49-D20​, and all subsequent releases to resolve all vulnerabilities listed above. Juniper SIRT is not aware of any malicious exploitation of this vulnerability.This issue is being tracked for Junos OS as PRs 1095598, ​1095604​, 1103020 and 1153463 which are visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​​Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:Disabling J-Web Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes Limit access to J-Web and XNM-SSL from only trusted networks How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version.
In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame.

For these cases, Service Releases are made available in order to be more timely.
Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release.

Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2015-10-14: Initial publication2016-10-05: Update the list of Junos releases which have OpenSSL 1.0.1p or later (i.e added 12.1X46-D55, 12.1X47-D45, 12.3X48-D30). Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"

JSA10657 – 2014-11 Security Bulletin: Juniper Secure Analytics and Security Threat...

2014-11 Security Bulletin: Juniper Secure Analytics and Security Threat Response Manager: Multiple vulnerabilities Product Affected:JSA series devices or virtual machines with JSA software releases: 2013.2, 2014.1, 2014.2 and STRM series devices or virtual machines with STRM software releases: 2012.1, 2013.1, 2013.2 Problem:STRM and JSA 2013.2 releases prior to 2013.2R9 and JSA 2014 releases prior to 2014.3R1 are affected by the following vulnerabilities: CVECVSS v2 base scoreSummaryCVE-2014-30629.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)A remote code execution vulnerability that would allow a remote attacker with high knowledge of the system and knowledge of the product operation to execute code with root level privileges.CVE-2014-48336.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)A vulnerability that would allow remote authenticated users to gain privileges via invalid input.CVE-2014-00755.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Apache Tomcat integer overflow vulnerability.CVE-2014-00955.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)Denial of service (thread consumption) vulnerability in Apache Tomcat.CVE-2014-30915.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.CVE-2014-00964.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.CVE-2014-00994.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Integer overflow vulnerability in Apache Tomcat.CVE-2014-01194.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)XML External Entity (XXE) issue in Apache Tomcat.CVE-2014-08374.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Insufficient verification of X.509 certificates in autoupdate process while downloading updates, which may allow a man-in-the-middle type of attacker to manipulate traffic.CVE-2014-48254.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Incorrect handling of secure connections when communicating to other applications, which allows man-in-the-middle type of attackers to discover clear text credentials or other sensitive information.CVE-2014-48274.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Cross-site scripting (XSS) vulnerability.CVE-2014-48284.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Clickjacking vulnerability.CVE-2014-48304.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)Missing HTTPOnly flag that mitigates the risk of client side script accessing sensitive cookies. Solution:These issues are resolved in: JSA 2014.3R1 or later releases. JSA or STRM 2013.2R9 or later releases. Workaround:There are no known workarounds that can help mitigate all of the above issues. Limiting access to the device from only trusted hosts would help mitigate or lessen the risks of exposure to some of the issues. Implementation:JSA and STRM Software is available for download from http://www.juniper.net/support/downloads/. Modification History: 2014-11-12: Initial publication. Related Links: CVSS Score:9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C) Risk Level:Critical Risk Assessment:Vulnerability CVE-2014-3062 has the highest CVSS v2 base score of 9.3 in this advisory. Acknowledgements:

JSA10712 – 2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH...

2015-12 Out of Cycle Security Bulletin: ScreenOS: Crafted SSH negotiation may trigger system crash (​CVE-2015-7754) Product Affected:This issue can affect any product or platform running ScreenOS 6.3.0r20. Problem:A crafted SSH negotiation may result in a system crash when ssh-pka is configured and enabled on the firewall. In the worst case scenario, the unhandled SSH exception resulting in a system crash could lead to remote code execution.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2015-7754. Solution:The following software releases have been updated to resolve this specific issue: ScreenOS 6.3.0r21, and all subsequent releases.This issue is being tracked as PR 1139205 which is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Use access lists or firewall filters to limit access to the device via administrative login (e.g. SSH) only from trusted hosts, or restrict management access to specific IP addresses.  Refer to KB3905 for more information about restricting management access in ScreenOS.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit management access to the device only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software:ScreenOS software releases are available at http://www.juniper.net/support/downloads/screenos.htmlModification History: 2015-12-17: Initial publication Related Links: CVSS Score:9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level:Critical Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10653 – 2014-10 Security Bulletin: Junos: BGP UPDATE with crafted transitive...

This issue can affect any product or platform running Junos OS 9.1 and later releases with BGP configured and enabled. A BGP UPDATE containing a specifically crafted set of transitive attributes can cause corruption of memory ultimately leading to an RPD routing process crash and restart. The crash was only achieved through in-house routing protocol fuzz testing. This issue only affects routers supporting 4-byte AS numbers, introduced starting with Junos OS 9.1. Additionally, the router is only vulnerable if the BGP peer does not support 4-byte AS numbers.This issue was found during internal product security testing.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-3818.The following software releases have been updated to resolve this specific issue: Junos OS 11.4R11, 12.1R10, 12.1X44-D40, 12.1X46-D30, 12.1X47-D11, 12.1X47-D15, 12.1X48-D41, 12.1X48-D62, 12.2R8, 12.2X50-D70, 12.3R6, 13.1R4-S2, 13.1X49-D49, 13.1X50-D30, 13.2R4, 13.2X50-D20, 13.2X51-D25, 13.2X52-D15, 13.3R2, 14.1R1, and all subsequent releases.This issue is being tracked as PR 953037 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.No known workaround exists for this issue. How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10763 – 2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in...

2016-10 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI (CVE-2016-4922)Product Affected:These issues can affect any product or platform running Junos OS. Problem:Certain combinations of Junos OS CLI commands and arg...