Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-101
Date(s) Issued: 
Thursday, October 11, 2018
Subject: 
Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

                                                                                                                                                                                          

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 
  • All products and platforms running Junos OS
  • ScreenOS 6.3.0 versions prior to 6.3.0r26

  • Junos Space Security Director prior to 17.2R1

  • Junos Space Network Management Platform prior to 18.2R1 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows: 

  • Receipt of a specific MPLS packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. This issue can only be exploited from within the MPLS domain. (CVE-2018-0043)

  • An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty when the SSHD configuration has the PermitEmptyPasswords option set to "yes". (CVE-2018-0044)

  • Receipt of a specific Draft-Rosen MVPN control packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. (CVE-2018-0045)

  • Multiple vulnerabilities have been resolved in the Junos Space Network Management Platform 18.2R1 release. (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2017-15906, CVE-2018-0046)

  • Cross-site scripting vulnerability in the UI framework used by Junos Space Security Director may allow authenticated users to inject persistent and malicious scripts. (CVE-2018-0047)

  • Memory exhaustion denial of service vulnerability in Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support. (CVE-2018-0048)

  • NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash when processing a specially crafted malicious MPLS packet. A single packet received by the target victim will cause a Denial of Service condition. The packet must be received on an interface configured to receive this type of traffic. (CVE-2018-0049)

  • Error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. (CVE-2018-0050)

  • Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process when used in NAT or stateful firewall configurations with SIP ALG enabled. (CVE-2018-0051)

  • Unauthenticated remote root access possible when RSH service is enabled and PAM authentication is disabled. (CVE-2018-0052)

  • Authentication bypass vulnerability in the initial boot sequence of Juniper Networks Junos OS on vSRX Series may allow an attacker to gain full control of the system without authentication when the system is initially booted up. (CVE-2018-0053)

  • On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps. (CVE-2018-0054)

  • Receipt of a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment may result in a jdhcpd daemon crash. (CVE-2018-0055)

  • L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces when the l2-backhaul VPN is configured. (CVE-2018-0056)

  • Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50(Requested IP Address)  which could result in unauthorized information disclosure or denial of service for valid subscribers. (CVE-2018-0057)

  • In BBE configurations, receipt of a specially crafted IPv6 exception packet, Broadband Edge (BBE) client route, causes a Denial of Service. (CVE-2018-0058)

  • A persistent cross-site scripting vulnerability in the graphical user interface of ScreenOS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. (CVE-2018-0059)

  • An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. (CVE-2018-0060)

  • Denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance. (CVE-2018-0061)

  • Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. (CVE-2018-0062)

  • Multiple vulnerabilities in the ntpd (NTP daemon) of Juniper Products running Junos OS where the most severe of these vulnerabilities may allow arbitrary code execution. (CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183)

  • Vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. (CVE-2018-0063) 

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights. 

Actions: 
  • After appropriate testing, immediately apply the patch provided by Juniper Networks to vulnerable systems.

  • Disable all unnecessary services.

  • Restrict access to devices and application from only authorized users and  hosts.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

References: 

Juniper:
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10878&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10879&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10880&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10881&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10882&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10883&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10884&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10885&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10886&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10887&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10888&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10889&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10890&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10892&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10893&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10894&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10895&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10896&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10897&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10898&cat=SIR...
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10899&cat=SIR...

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0052
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0054
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0058
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0059
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0062
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0063
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185