15.6 C
London
Thursday, August 17, 2017

JSA10613 – 2014-07 Security Bulletin: Junos: NTP server amplification denial of...

This issue can affect any product or platform running Junos OS with NTP client or server enabled. When an NTP client or server is enabled within the [edit system ntp] hierarchy level of the Junos configuration, REQ_MON_GETLIST and REQ_MON_GETLIST_1 control messages supported by the monlist feature within NTP may allow remote attackers to cause a denial of service. NTP is not enabled in Junos by default. Once NTP is enabled, an attacker can exploit these control messages in two different ways:as part of a denial of service attack against a remote victimas the target of an attack against the device itselfIf unwanted NTP requests come into a Junos device, the NTP process will occupy resources such as memory and CPU, slowing down other processes and affecting overall system functionality. In extreme cases, the situation could result in traffic loss or protocol flaps.On the SRX Series platform, NTP requests coming in from security zones to the firewall self-traffic are dropped by default unless the 'host-inbound-traffic' for 'protocol ntp' is explicitly enabled.Neither ScreenOS nor JUNOSe are vulnerable to this issue. These systems do not support the "monlist" feature of NTP.This issue has been assigned CVE-2013-5211. Response to monlist control messages has been disabled by default.The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12, 12.1R10, 12.1X44-D35, 12.1X45-D25, 12.1X46-D15, 12.1X47-D10, 12.2R8, 12.3R7, 13.1R4-S2, 13.2R4, 13.3R2, 14.1R1, and all subsequent releases (i.e. all releases built after 14.1R1).This issue is being tracked as PR 931184 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.If a possible attack has been identified, or if the NTP process is occupying a large amount of CPU or memory resources, the most effective mitigation is to apply a firewall filter to allow only trusted addresses and networks, plus the router's loopback address, access to the NTP service on the device, rejecting all other requests.  For example: term allow-ntp { from { source-address { <trusted-addresses>; <router-loopback-address>; } protocol udp; port ntp; } then accept; } term block-ntp { from { protocol udp; port ntp; } then { discard; } } This term may be added  to the existing loopback interface filter as part of an overall control plane protection strategy.  In general, security best practices recommend having such a filter term, even during normal operation.Also, note that the router loopback address must be included under the NTP allow term. If the loopback is not allowed, ‘show ntp’ commands will time out. User@Router> show ntp status localhost: timed out, nothing received ***Request timed out Using the above filter allows only trusted sources to request the NTP service, but if you are interested in identifying the sources of unwanted NTP requests, add the 'log' action to the term block-ntp along with the 'discard' action.  For example: term block-ntp { from { protocol udp; port ntp; } then { log; discard; } } If your trusted IPs are spoofed, then you will have to apply the 'log' action to the allow-ntp accept action as well. This will help in identifying misbehaving trusted sources as well. term allow-ntp { from { source-address { <trusted-addresses>; <router-loopback-address>; } protocol udp; port ntp; } then { log; accept; } } Once you identify the source of unwanted NTP requests, take appropriate action to block them at the network perimete, and delete the 'log' action from the filter term.Note: The 'port' matching criterion is not supported on EX Series platforms other than the EX9200. When applying NTP control plane protection on EX Series, split the filter into two terms using 'source-port' and 'destination-port'. For example: term 1 { from { source-address { <trusted-addresses>; } protocol udp; source-port ntp; } then accept; } term 2 { from { protocol udp; destination-port ntp; } then { discard; } } term default { then accept; } The 'log' action can also be used in this sample firewall filter as described earlier to aid in troubleshooting.Apply the firewall filter to the lo0, me0 or both interfaces, depending on whether NTP attacks are coming from the network port or me0 interface.  The recommendation is: If me0/vme is configured for the system, apply the filter to both lo0 and me0/vme. If me0/vme is not configured in the system, apply the filter only to lo0. How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10457 – Kernel crash after ICMP6 MTU exceeded packet received

Legacy Advisory Id:PSN-2010-10-968Product Affected:This issue affects all hardware platforms running Junos 9.3 or later with the IPv6 address family and IPv6 PATH MTU Discovery enabled. Problem:With IPv6 PATH MTU Discovery enabled (the default), the Ju...

JSA10680 – 2015-04 Security Bulletin: OpenSSL 19th March 2015 advisory

Multiple products. OpenSSL project has published a security advisory for several vulnerabilities resolved in the OpenSSL library on 19th Match 2015: CVE CVSS v2 base score Summary CVE-2015-0209 5.0 (AV:N/AC:M/Au:N/C:N/I:N/A:P) Denial of service due to Use-after-free vulnerability in the d2i_ECPrivateKey function. CVE-2015-0286 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service while processing crafted X.509 certificate. CVE-2015-0287 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to ASN.1 structure reuse. CVE-2015-0288 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) via an invalid certificate key. CVE-2015-0289 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service (NULL pointer dereference and application crash) while processing arbitrary PKCS#7 data. CVE-2015-0292 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service due to Integer underflow in the EVP_DecodeUpdate function. CVE-2015-0293 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) The SSLv2 implementation denial of service. In addition to the above this OpenSSL advisory lists CVE-2015-0291, CVE-2015-0290, CVE-2015-0207, CVE-2015-0208, CVE-2015-1787, and CVE-2015-0285 which only affect OpenSSL version 1.0.2 which is not utilized by any Juniper product. Hence these issues do not affect any Juniper product. Vulnerable Products: Junos OS is potentially affected by one or more of the vulnerabilities. CTPOS releases prior to 7.0R4 are potentially affected by one or more of the vulnerabilities. DDoS Secure is potentially affected by one or more of the vulnerabilities.. IDP is potentially affected by one or more of the vulnerabilities. Junos Space is potentially affected by one or more of the vulnerabilities. NSM is potentially affected by one or more of the vulnerabilities. Pulse Secure: please refer to TSB16661. SBR Carrier is potentially affected by one or more of the vulnerabilities. SRC Series is potentially affected by one or more of the vulnerabilities. ScreenOS is potentially affected by one or more of the vulnerabilities.STRM and JSA Series are affected by CVE-2015-0286, CVE-2015-0287 and CVE-2015-0289. vGW is potentially affected by one or more of the vulnerabilities. RingMaster Appliance is potentially affected by one or more of the vulnerabilities. Products not vulnerable:Smartpass does not use OpenSSL and is not vulnerable. RingMaster Software does not use OpenSSL and is not vulnerable. As new information becomes available on products that are not listed above, this document will be updated. Standard security best current practices (control plane firewall filters, edge filtering, access lists, etc.) may protect against any remote malicious attacks.Junos OS: Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include: Disabling J-Web. Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes. Limit access to J-Web and XNM-SSL from only trusted networks. ScreenOS: A temporary workaround for the server side of ScreenOS you can disable the HTTPS web user interface and the WebAuth feature. If you disable the HTTPS user interface you would be required to do configuration management over command line (SSH). The command to disable SSL is the following: unset ssl enable Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10718 – 2016-01 Security Bulletin: Junos: Vulnerability in ISC BIND named...

2016-01 Security Bulletin: Junos: Vulnerability in ISC BIND named (CVE-2015-5477) Product Affected:This issue can affect any SRX-Series and J-Series configured with DNS Proxy server services enabled. Problem:A vulnerability in ISC BIND's handling of queries for TKEY records may allow remote attackers to terminate the daemon process on an assertion failure. Juniper SIRT is not aware of any malicious exploitation of this issue on Junos devices.   The Juniper SIRT is aware of publicly available PoC exploits.This issue affects only SRX-Series and J-Series configured with DNS Proxy server services enabled.  This issue can affect both standalone and HA configurations.This issue has been assigned CVE-2015-5477. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3R12, 12.3X48-D20, 12.3X50-D50, 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 14.1R6, 14.1R7, 14.1X53-D30, 14.2R5, 15.1F3, 15.1R2, 15.1R3, 15.1X49-D30, 15.1X53-D20, 15.2R1 and all subsequent releases. Note:  To proactively mitigate this issue in the future, should DNS Server features be introduced into other Junos OS platforms and products, this issue is fixed in the other stated platforms other than the ones listed as vulnerable under this JSA. This BIND issue does affect, but these versions are not vulnerable to this issue, as enabling the DNS Server feature does not exists on these platforms. Should SRX-Series and J-Series releases assume R-releases in the future, these versions are fixed moving forward in these release trains as well.This issue is being tracked as PR 1108761 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:DNS proxy can be disabled; the following example set statements show if the service is enabled: set dns dns-proxy interface ge-0/0/1.0set dns dns-proxy default-domain * forwarders 172.17.28.100You may view the status of DNS proxy via the command: show system services dns dns-proxyFirewall filters limiting receipt of DNS queries on TCP and UDP port 53 can be implemented for different hosted groups of DNS servers; external DNS servers should be separate from internal DNS servers. External DNS servers should only accept DNS queries from internal DNS servers and reject externally facing DNS queries if using BIND.A layered approach utilizing non-BIND based DNS servers may be taken as well; non-BIND servers can be deployed for externally hosted domains, and servers using BIND can be deployed internally.In addition to the recommendations listed above, it is a good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the devices only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2016-01-13: Initial publication Related Links: CVSS Score:5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Risk Level:Medium Acknowledgements: 

JSA10681 – 2015-05 Out of Cycle Security Bulletin: “Logjam” passive attack...

Diffie-Hellman key exchange is a popular cryptographic algorithm that allows Internet protocols to agree on a shared key and negotiate a secure connection. It is fundamental to many protocols including HTTPS, SSH, IPsec, and protocols that rely on TLS.On May 20, 2015, researchers uncovered several weaknesses in how Diffie-Hellman key exchange has been deployed:"Logjam attack" against the TLS protocol. The "Logjam attack" allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the TLS protocol rather than an implementation vulnerability, and attacks a Diffie-Hellman key exchange rather than an RSA key exchange. The attack affects any server that supports DHE_EXPORT ciphers.Threats from state-level adversaries. Millions of HTTPS, SSH, and VPN servers all use the same prime numbers for Diffie-Hellman key exchange. Practitioners believed this was safe as long as new key exchange messages were generated for every connection. However, the first step in the number field sieve—the most efficient algorithm for breaking a Diffie-Hellman connection—is dependent only on this prime. After this first step, an attacker can quickly break individual connections.​ See https://weakdh.org for more inf​o.Affected Products Junos OS (XNM-SSL)*WXOS Products Not Affected Junos OS (J-Web, SSH, IPsec/IKE) Junos Space ScreenOS STRM/JSA CTP/CTPView Products Under Investigation NSM/NSMXpress Firefly Host * See Product Status in Solution section below for specific versions of Junos OS.Background and SIRT Analysis: There are two aspects to "Logjam", both related to Diffie-Hellman key exchange: Active downgrade attack of TLS sessions: Affects SSL/TLS → CVE-2015-4000 Passive attack on a DH group <= 1024: Can affect SSL/TLS, IPsec/IKE, and SSH The active downgrade attack (1) is very similar to the previously published FREAK vulnerability which has been addressed by JSA10679. The active attack is only against TLS sessions, and its purpose is to downgrade from a non-DHE_EXPORT ciphersuite to a DHE_EXPORT ciphersuite when the server supports DHE_EXPORT but the client does not.The passive attack (2) is not technically considered a product security vulnerability by the Juniper SIRT, but rather a previously known weakness in smaller DH groups. As compute power increases, key strength must increase to maintain the same level of defense against brute force attack.Product Status Junos: • SSL/TLS:SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL),J-Web is not vulnerable.  Export cipher suites (1) negotiated by J-Web are disabled by default in all supported versions of Junos. XNM-SSL vulnerable in earlier releases.  Export cipher suites (1) used by XNM-SSL follow the defaults for OpenSSL found within each version of Junos.  Export cipher suites are disabled by default in OpenSSL 1.0.1m and 0.9.8zf (Junos PR 1072809) corresponding to: Junos ​OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R10, 12.3X48-D20, 13.2R8, 13.3R7, 14.1R5, 14.2R3, 15.1R1, and all subsequent releases.• SSH:SSH is configurable to use 2048-bit (dh-group14-sha1) keys with a default of 1024: [edit system services ssh] user@junos# set key-exchange ? Possible completions: [ Open a set of values dh-group1-sha1 The RFC 4253 mandated group1 with SHA1 hash dh-group14-sha1 The RFC 4253 mandated group14 with SHA1 hash ecdh-sha2-nistp256 The EC Diffie-Hellman on nistp256 with SHA2-256 ecdh-sha2-nistp384 The EC Diffie-Hellman on nistp384 with SHA2-384 ecdh-sha2-nistp521 The EC Diffie-Hellman on nistp521 with SHA2-512 group-exchange-sha1 The RFC 4419 group exchange with SHA1 hash group-exchange-sha2 The RFC 4419 group exchange with SHA2-256 hash • IPsec/IKE:The paper describing this attack describes Diffie Hellman Group 1 as potentially vulnerable to an academic group, and DH Group 2 as potentially vulnerable to a nation-state actor. In order to avoid potential exposure, the use of these two groups should be avoided.Configuration options that could select these options are: [edit security group-vpn member ike policy policy-name] [edit security group-vpn server ike policy policy-name] [edit security ike policy policy-name] in which the policy includes a reference to any of the pre-defined IKE exchange proposals shown below that contain groups 1 and 2:basic: Basic set of two IKE proposals:Proposal 1: Preshared key, Data Encryption Standard (DES) encryption, and Diffie-Hellman (DH) group 1 and Secure Hash Algorithm 1 (SHA-1) authentication.Proposal 2: Preshared key, DES encryption, and DH group 1 and Message Digest 5 (MD5) authentication.compatible: Set of four commonly used IKE proposals:Proposal 1: Preshared key, triple DES (3DES) encryption, and Gnutella2 (G2) and SHA-1 authentication.Proposal 2: Preshared key, 3DES encryption, and DH group 2 and MD5 authentication.Proposal 3: Preshared key, DES encryption, and DH group 2 and SHA-1 authentication.Proposal 4: Preshared key, DES encryption, and DH group 2 and MD5 authentication.standard: Standard set of two IKE proposals:Proposal 1: Preshared key, 3DES encryption, and DH group 2 and SHA-1 authentication.Proposal 2: Preshared key, Advanced Encryption Standard (AES) 128-bit encryption, and DH group 2 and SHA-1 authentication.The same would apply to a custom IKE or IPSec proposal that contains references to groups 1 or 2. These are configured under: [edit security ike proposal] [edit security ipsec policy keys] Note that Junos does not ship with pre-computed Diffie-Hellman keys (2). All DH keys are ephemeral; they are generated for a single SA and are never re-used.​Junos Space: Junos Space does not support Diffie-Hellman keys for SSL/TLS and is therefore not vulnerable (1).OpenSSH ​defaults to 2048-bit diffie-hellman-group14-sha1 (2)​, but can be configured to use other key exchange algorithms by modifying the KexAlgorithms parameter within /etc/ssh/sshd_config.​NSM: Still under investigation.ScreenOS: ScreenOS is not vulnerable to the SSL/TLS downgrade attack​ (1).ScreenOS supports Diffie-Hellman Groups 1, 2, 5 & 14: http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_VPN.pdf KB14667 also notes that ScreenOS supports DH Groups 5 and 14 (depending on version) which are currently considered strong enough to address concerns over brute-force attack (2).Firefly Host: Still under investigation.STRM/JSA: httpd does not use export grade ciphers (1) and the Diffie-Hellman ciphers that are in use with httpd are 1024 bit (2). httpd will be updated to use 2048-bit Diffie-Hellman ciphers in a future release.Server-side Java is not vulnerable as httpd controls the ciphers, however client-side Java connecting out to integrations may be vulnerable. Java will be updated in the near future to mitigate this.CTP/CTPView: CTP does not have an SSL/TLS listener and SSH is not configurable.CTPView does not support Diffie-Hellman nor export-grade ciphers.Junos:Since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos may include:Disabling J-WebDisable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changesLimit access to J-Web and XNM-SSL from only trusted networksNote that J-Web is not vulnerable in any release of Junos OS, and XNM-SSL is only vulnerable in releases prior to those listed in the Solution section above.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via SSL and SSH only from trusted, administrative networks or hosts.Modification History: 2015-05-29: Initial publication Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."

JSA10677 – 2015-04 Security Bulletin: SRX Series: Cross-Site-Scripting Vulnerability in Dynamic...

2015-04 Security Bulletin: SRX Series: Cross-Site-Scripting Vulnerability in Dynamic VPN (CVE-2015-3005). Product Affected:SRX Series devices with Dynamic VPN enabled. Problem:A reflected cross site scripting (XSS) vulnerability in SRX Dynamic VPN may allow the stealing of sensitive information or session credentials from Dynamic VPN users.This issue affects the device only when Dynamic VPN is enabled.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2015-3005. Solution:The following software releases have been updated to resolve this specific issue: 12.1X44-D45 12.1X46-D30 12.1X47-D20 and all subsequent releases.This issue is being tracked as PR 1031103 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:There are no viable workarounds for this issue. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History:2015-04-08: Initial release. Related Links: CVSS Score:4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) Risk Level:Low Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories. Acknowledgements:

JSA10595 – 2013-10 Security Bulletin: Junos: Security issue with Proxy ARP...

2013-10 Security Bulletin: Junos: Security issue with Proxy ARP enabled on unnumbered interface (CVE-2013-6014) Product Affected:This issue can affect any product or platform running Junos OS 10.4, 11.4, 11.4X27, 12.1, 12.1X44, 12.1X45, 12.2, 12.3, or 13.1, supporting unnumbered interfaces. Problem:If Proxy ARP is enabled on an unnumbered interface, an attacker directly connected to the router can poison the ARP cache and create a bogus forwarding table entry for an IP address, effectively creating a denial of service for that subscriber or interface. When Proxy ARP is enabled on an unnumbered interface, the router will answer any ARP message from any IP address which could lead to exploitable information disclosure.Juniper SIRT is not aware of any malicious exploitation of this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2013-6014. Solution:The following software releases have been updated to resolve this specific issue:All Junos OS software releases built on or after 2013-09-18, orJunos OS 10.4S15, 11.4R9, 11.4X27.44, 12.1R7, 12.1X44-D20, 12.1X45-D15, 12.2R6, 12.3R3, 13.1R3, 13.2R1, and all subsequent releases (i.e. all releases built after 13.2R1).Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.This issue is being tracked as PR 842092 and is visible on the Customer Support website.KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:No known workaround exists for this issue. Implementation:How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: CVSS Score:6.1 (AV:A/AC:L/Au:N/C:N/I:N/A:C) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10684 – 2015-07 Security Bulletin: Junos: QFX5100/EX4600 Denial of service vulnerability...

2015-07 Security Bulletin: Junos: QFX5100/EX4600 Denial of service vulnerability (CVE-2015-5357) Product Affected:This issue can affect the EX4600, QFX3500, QFX3600, and QFX5100 switches running Junos OS 13.2X51-D15 and higher. Problem:A high CPU consumption denial of service vulnerability exists in the EX4600 and QFX Series switches listed above. This issue can be triggered by remote unauthenticated network-based attackers. This issue was caused by a regression introduced in Junos OS 13.1X51-D15 and higher. Earlier releases are unaffected by this vulnerability. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. This issue has been assigned CVE-2015-5357. Solution:The following software releases have been updated to resolve this specific issue: Junos OS 13.2X51-D26, 13.2X51-D30, 14.1X53-D10, and all subsequent releases. This issue is being tracked as PR 959279 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment by designing a control plane firewall filter to block all incoming traffic except for those services and ports explicitly needed. Use access lists or firewall filters to limit access to the router only from trusted, administrative networks or hosts. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Modification History: 2015-07-08: Initial publication Related Links: CVSS Score:CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Risk Level:Medium Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: 

JSA10699 – 2015-10 Security Bulletin: Junos: Crafted packets cause mbuf chain...

This issue can affect any product or platform running Junos OS with IPv6 enabled.​​​ Specially crafted IPv6 packets ​can trigger mbuf chain corruption, which may eventually lead to a kernel panic in Junos OS. Devices not configured for IPv6 are unaffected by this vulnerability.No other Juniper Networks products or platforms are affected by this issue.This issue is assigned CVE-2014-6450. The following software releases have been updated to resolve this specific issue: Junos OS 11.4R12-S4, 11.4R13, 12.1X44-D41, 12.1X46-D26, 12.1X47-D11/D15, 12.2R9, 12.2X50-D70, 12.3R8, 12.3X48-D10, 12.3X50-D42, 13.1R4-S3, 13.1R5, 13.1X49-D42, 13.1X50-D30, 13.2R6, 13.2X51-D26, 13.2X52-D15, 13.3R3-S3, 13.3R4, 14.1R3, 14.2R1, 15.1R1, 15.1X49-D10 and all subsequent releases.This issue is being tracked as PR 1016371 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​​No known workaround exists for this issue.How to obtain fixed software:Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request.Modification History: 2015-10-14: Initial publication2015-12-17: While issue was initially found internally, a similar crash has been found in the field. Information for how Juniper Networks uses CVSS can be found at KB16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories"

JSA10737 – 2016-04 Security Bulletin: Junos: RPD cores on receiving a...

2016-04 Security Bulletin: Junos: RPD cores on receiving a crafted L2VPN family BGP update (CVE-2016-1270)Product Affected:This issue can affect any product or platform running Junos OS with family BGP based L2VPN and/or VPLS configured Problem:Upon re...

JSA10560 – 2013-04 Security Bulletin: Junos: J-Web Sajax remote code execution

Legacy Advisory Id:PSN-2013-04-914 Product Affected:This issue can affect all Junos devices with J-Web enabled. Problem:An insufficient validation vulnerability in J-Web can allow an authenticated user to execute arbitrary commands. This may allow a user with low privilege (such as read only access) to get complete administrative access. This scope of this vulnerability is limited to only those users with valid, authenticated login credentials. Juniper SIRT is not aware of any malicious exploitation of this vulnerability. No other Juniper Networks products or platforms are affected by this issue. Solution:All Junos OS software releases built on or after 2013-02-28 have fixed this specific issue. Releases containing the fix specifically include: 10.4R13, 11.4R7, 12.1R5, 12.1X44-D15, 12.1X45-D10, 12.2R3, 12.3R1, and all subsequent releases (i.e. all releases built after 12.3R1). Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'. This issue is being tracked as PR 826518 and is visible on the Customer Support website. KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies. Workaround:Disable J-Web, or limit access to only trusted hosts. Acknowledgement The Juniper SIRT would like to acknowledge and thank Phil from Sense of Security Labs for reporting this vulnerability. Implementation:How to obtain fixed software: Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisory and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided download instructions for a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided on request. Related Links: CVSS Score:9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Risk Level:Critical Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." Acknowledgements: