Newsflash Security: Affected on all JUNOS Platforms

 
Introduction
 
CVE-2016-1269: 2016-04 Security Bulletin: Junos: Manipulating TCP timestamps can lead to resource exhaustion denial of service
 
CVE-2016-1264: 2016-04 Security Bulletin: Junos: A race condition in the Op script Op URL option allows an authenticated remote attacker to fully compromise the system
 
CVE-2016-1267: 2016-04 Security Bulletin: Junos: Lazy race condition in RPC allows an authenticated user to improperly elevate privileges
 
CVE-2016-1270: 2016-04 Security Bulletin: Junos: RPD cores on receiving a crafted L2VPN family BGP update
 
CVE-2016-0777 - CVE-2016-0778: 2016-04 Security Bulletin: Junos: OpenSSH Client Information Leak and Buffer Overflow in roaming support
 
CVE-2016-1271: 2016-04 Security Bulletin: Junos: Multiple privilege escalation vulnerabilities in Junos CLI
 
CVE-2016-1261: 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in J-Web
 
CVE-2015-3145, CVE-2014-8151, CVE-2014-3613, CVE-2014-3620, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2014-3707, CVE-2014-8150, CVE-2014-0015: 2016-04 Security Bulletin: Junos: Multiple vulnerabilities in cURL and libcurl
 
 
Explanation
 
CVE-2016-1269: By manipulating TCP timestamps within a TCP session to a reachable listening port, it may be possible for an attacker to trigger a persistent buffer/socket resource exhaustion denial of service DoS attack. Normally, a networked device will time out a session after a number of unsuccessful retransmission events, occurring at increasing intervals. However, in this case, a crafted sequence of TCP packets will cause the device to not try to retransmit, allowing the attacker to create sockets that will be long-lived without the need to maintain state on them.
 
CVE-2016-1264: The Op script “Op URL” option can be used by an authenticated malicious actor performing a series of steps to take advantage of a race condition to ultimately compromise the system by multiple attack vectors.
 
CVE-2016-1267: A lazy race condition in RPC allows an authenticated user to elevate privileges to take ownership of any file on the device. This can allow an attacker to read, delete, or modify any file on the system. If the attacker modifies the files that control authentication operations, the attacker can potentially gain root access.
 
CVE-2016-1270: Upon receipt of a specially crafted BGP 'family l2vpn' UPDATE message, the Junos OS rpd daemon will crash and restart. Receipt of a constant stream of these crafted updates could lead to an extended denial of service. This issue only affects BGP based L2VPN and VPLS configurations. No other configurations are affected. The issue is not applicable to BGP Route Reflectors (RR). Note that this issue can only be triggered from inside a customer's network. MPLS labels are not usually exchanged outside the protected network, and are usually only received from a PE or RR in the same network.
 
CVE-2016-0777 - CVE-2016-0778:  "Since version 5.4 (released on March 8, 2010), the OpenSSH client supports an undocumented feature called roaming: if the connection to an SSH server breaks unexpectedly, and if the server supports roaming as well, the client is able to reconnect to the server and resume the suspended SSH session. Although roaming is not supported by the OpenSSH server, it is enabled by default in the OpenSSH client, and contains two vulnerabilities that can be exploited by a malicious SSH server (or a trusted but compromised server): an information leak (memory disclosure), and a buffer overflow (heap-based)." 
 
The attack vector leading to potential compromise in these scenarios relates to a session initiated from a Junos OS device using the SSH client to an external SSH server.
 
CVE-2016-1271: Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow root access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device.
 
CVE-2016-1261: Multiple vulnerabilities exist in J-Web input handling that may lead to cross-site request forgery (CSRF) issues or cause a denial of J-Web service (DoS). The cross-site request forgery vulnerabilities may allow malicious content on third party websites to launch unauthorized access and actions against J-Web via an administrative user's browser.
 
CVE-2015-3145, CVE-2014-8151, CVE-2014-3613, CVE-2014-3620, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2014-3707, CVE-2014-8150, CVE-2014-0015: Multiple vulnerabilities in Junos OS have been resolved by updating cURL and libcurl library. These are used to support downloading updates or importing data into a Junos device. Examples: Cause a denial of service, man-in-the-middle attackers, malicious cookies, malicious authentication requests, ...
 
 
Workaround
 
CVE-2016-1269: Use access lists or firewall filters to limit access to the router via TCP only from trusted hosts.
 
CVE-2016-1264: Entering the following set will disable the Op URL option: “set system scripts op no-allow-url”. Additionally, disabling any existing Junos OS Op scripts using the Op URL option or removing them from the environment may reduce the risk for exploitation of this problem, but which does not resolve the underlying problem.
 
CVE-2016-1267: Methods which may reduce the risk for exploitation of this problem, but which do not resolve the underlying problem include: 
Disabling... 
  • any existing Junos OS Op scripts or removing them from the environment. 
  • JUNOScript administration to the system. 
  • Netconf administration to the system. 
  • XNM services. 
Only allow access to XNM, Netconf from trusted administrative networks and hosts. 
Only allow trusted accounts access to execuite Op scripts. 
Using administrative jump boxes with no internet access and employ anti-scripting techniques. 
In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the devices as listed above.
 
CVE-2016-1270: While no single workaround is effective in all cases
 
CVE-2016-0777 - CVE-2016-0778: It is good security practice to connect only to known, trusted, SSH servers from critical infrastructure networking equipment. Use outgoing access lists or egress firewall filters to limit access from sensitive network devices to only trusted, administrative networks or hosts.
 
CVE-2016-1271: Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators.
 
CVE-2016-1261: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D55, 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D30, 13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R3, 15.1X49-D20, and all subsequent releases.
 
CVE-2015-3145, CVE-2014-8151, CVE-2014-3613, CVE-2014-3620, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2014-3707, CVE-2014-8150, CVE-2014-0015: Avoid using untrusted URLs to fetch updates or to import data into a Junos device.
 
 
Conclusion
 
CVE-2016-1269: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D60, 12.1X46-D40, 12.1X47-D30, 12.3R11, 12.3X48-D20, 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R4-S1, 14.2R5, 15.1R2, 15.1X49-D30, 16.1R1, and all subsequent releases.
 
CVE-2016-1264: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R11, 12.3X48-D20, 12.3X50-D50, 13.2R8, 13.2X51-D39, 13.2X51-D40, 13.2X52-D30, 13.3R7, 14.1R6, 14.1X53-D30, 14.2R4, 15.1F2, 15.1R2, 15.1X49-D10, 15.1X49-D20, 16.1R1 and all subsequent releases.
 
CVE-2016-1267: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3R11, 12.3X48-D20, 13.2R8, 13.2X51-D39, 13.2X51-D40, 13.3R7, 14.1R6, 14.1X53-D30, 14.2R3-S4, 14.2R4, 15.1F2, 15.1R2, 15.1X49-D20, 16.1R1, and all subsequent releases.
 
CVE-2016-1270: The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D60, 12.1X46-D45, 12.1X47-D30, 12.3R9, 12.3X48-D20, 13.2R7, 13.2X51-D40, 13.3R6, 14.1R4, 14.2R2, 14.2R3, and all subsequent releases.
 
CVE-2016-0777 - CVE-2016-0778: The following software releases have been updated to resolve these specific issues with the SSH client: Junos OS 12.1X46-D45 12.1X47-D35 12.3R12 12.3X48-D30 13.3R9 14.1R7 14.2R6 15.1F5 15.1R3 15.1X49-D40 and all subsequent releases.
 
CVE-2016-1271: The following software releases have been updated to resolve these specific issues: Junos OS 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D25, 13.2R8, 13.3R7, 14.1R6, 14.2R4, 15.1R1, 15.1F2, 15.1X49-D15 and all subsequent releases.
 
CVE-2016-1261: Disable J-Web, or limit access to only trusted hosts which may not be compromised by cross-site attacks. For example, deploy jump hosts with no Internet access that use anti-scripting techniques to mitigate potential threats. Alternately, use a dedicated client and dedicated Web browser that is not used to access other sites.
 
CVE-2015-3145, CVE-2014-8151, CVE-2014-3613, CVE-2014-3620, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2014-3707, CVE-2014-8150, CVE-2014-0015: The following software releases have been updated to resolve this specific issue: 12.1X46-D50 (pending release), 12.1X47-D40 (pending release), 12.3R11, 12.3X48-D30 (to be released by end of April, 2016), 13.2R9, 13.2X51-D39, 13.2X51-D40, 13.3R8, 14.1R6, 14.1X53-D30, 14.2R5, 15.1R2, 15.1X49-D40, 15.1X53-D35 and all subsequent releases.
 
Priority
 
CVE-2016-1269: High
CVE-2016-1264: High
CVE-2016-1267: Medium
CVE-2016-1270: High
CVE-2016-0777 - CVE-2016-0778: Medium
CVE-2016-1271: High
CVE-2016-1261: High
 
CVE-2015-3145, CVE-2014-8151, CVE-2014-3613, CVE-2014-3620, CVE-2015-3143, CVE-2015-3148, CVE-2015-3153, CVE-2014-3707, CVE-2014-8150, CVE-2014-0015: High
 
For more information and assistance please contact Infradata by phone +31 (0)71 750 15 25 or by mail support@infradata.nl.
 

Partners & references

Juniper Networks