SB2018041212 - Multiple vulnerabilities in Juniper products

Description

This security bulletin contains information about 12 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2018-0016)

The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.

The weakness exists due to unspecified flaw. A remote attacker can submit specially crafted CLNP packets, cause the service to crash or execute arbitrary code.

Successful exploitation of the vulnerability may result in system compromise.

2) Improper check or handling of exceptional conditions (CVE-ID: CVE-2018-0017)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in flowd daemon due to failure to handle exceptional conditions. A remote attacker can submit a specially crafted valid IPv6 packet and cause the service to crash.

3) Configuration error (CVE-ID: CVE-2018-0018)

The vulnerability allows a remote attacker to obtain potentially sensitive information and bypass security restrictions on the target system.

The weakness exists due to configuration error. A remote attacker can submit specially crafted packets, gain access to potentially sensitive information and bypass firewall rules of IDP policies.

4) Improper resource shutdown (CVE-ID: CVE-2018-0019)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in SNMP MIB-II subagent daemon (mib2d) due to unspecified flaw. A remote attacker can cause the service to crash.

5) Improper input validation (CVE-ID: CVE-2018-0020)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in rpd daemon cores due to unspecified flaw. A remote attacker can submit a specially crafted BGP UPDATE and cause the service to crash.

6) Information disclosure (CVE-ID: CVE-2015-2080)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists in an HTTP header, aka JetLeak due to improper initialization of process memory. A remote attacker can gain access to potentially sensitive information.

7) Man-in-the-middle attack (CVE-ID: CVE-2017-1000385)

The vulnerability allows a remote attacker to conduct man-in-the-middle attack on the target system.

The weakness exists due to performing RSA decryption and signing operations with the private key of a TLS server. A remote attacker can gain access to potentially sensitive information.

8) Insufficient entropy in PRNG (CVE-ID: CVE-2014-0016)

The vulnerability allows a remote attacker to obtain potentially sensitive information on the targets system.

The weakness exists due to improper update of the state of the OpenSSL pseudo-random number generator (PRNG), which causes subsequent children with the same process ID to use the same entropy pool, when using fork threading. A remote attacker can gain access to potentially sensitive information.

9) Improper access control (CVE-ID: CVE-2008-2420)

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists in the OCSP functionality due to improper search of certificate revocation lists (CRL). A remote attacker can use revoked certificates and bypass intended access restrictions.

10) Man-in-the-middle attack (CVE-ID: CVE-2018-0021)

The vulnerability allows a remote attacker to conduct man-in-the-middle attack and obtain potentially sensitive information on the target system.

The weakness exists due to if all 64 digits of the connectivity association name (CKN) key or all 32 digits of the connectivity association key (CAK) key are not configured, all remaining digits will be auto-configured to 0. A remote attacker can discover the secret passphrases configured for these keys through dictionary-based and brute-force-based attacks using spoofed packets.

11) Memory leak (CVE-ID: CVE-2018-0022)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an mbuf leak when processing a specific MPLS packet. Approximately 1 mbuf is leaked per each packet processed. The number of mbufs is platform dependent. The following command provides the number of mbufs that are currently in use and maximum number of mbufs that can be allocated on a platform:
  > show system buffers    
  2437/3143/5580 mbufs in use (current/cache/total)
Once the device runs out of mbufs a remote attacker can cause the service to crash.

12) Configuration error (CVE-ID: CVE-2018-0023)

The vulnerability allows a local unauthenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.

The weakness exists due to the default configuration and sample files of JSNAPy automation tool are created world writable. A local attacker can alter the files under the directory including inserting operations not intended by the package maintainer, system administrator, or other users.

Remediation

Install update from vendor's website.

References

• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10844&actp=METADATA
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10845&actp=METADATA
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10846&actp=METADATA
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10847&actp=METADATA
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10848&actp=METADATA
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10849&cat=SIRT_1&actp=LIST
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10850&cat=SIRT_1&actp=LIST
• https://www.stunnel.org/sdf_ChangeLog.html
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10852&cat=SIRT_1&actp=LIST
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10854&cat=SIRT_1&actp=LIST
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10855&cat=SIRT_1&actp=LIST
• https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10856&cat=SIRT_1&actp=LIST