Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-042
Date(s) Issued: 
Friday, April 13, 2018
Subject: 
Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Systems Affected: 
  • All products and platforms running Junos OS
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

  • A Junos device with VPLS routing-instances configured on one or more interfaces may be susceptible to an mbuf leak when processing a specific MPLS packet.  The successful exploitation of this vulnerability could cause approximately 1 mbuf to be leaked per each packet processed (CVE-2018-0022).
  • Juniper devices configured with short MacSec keys are at risk of man-in-the-middle attacks.  The successful exploitation of this vulnerability could allow an attacker to discover the secret passphrases configured for these keys through dictionary-based and brute-force-based attacks using spoofed packets (CVE-2018-0021).
  • Multiple vulnerabilities in stunnel software included with Junos OS have been resolved by upgrading stunnel to 5.38.  Stunnel is used for providing SSL/TLS protection to Junos XML protocol server (xnm-ssl). These issues only affect devices where xnm-ssl is configured (CVE-2014-0016, CVE-2008-2420).
  • A remote, network based attacker may be able to cause the mib2d process to crash resulting in a denial-of-service condition for the SNMP subsystem.  This vulnerability only affects systems with SNMP mib2d enabled, meaning the successful exploitation of this vulnerability could disrupt network monitoring via SNMP, but will not impact routing, switching, or firewall functionalities (CVE-2018-0019).
  • A remote, unauthenticated attacker may be able to cause a kernel crash or execute code by sending a specially crafted Connectionless Network Protocol (CLNP) packet to an interface IP address of a Junos OS device (CVE-2018-0016).
  • An extended denial-of-service condition may be experienced by devices that receive repeated malformed BGP UPDATES.  These malformed BGP Updates cause the routing process daemon to crash and restart.  This vulnerability only impacts Junos OS 13.2R1 and later releases (CVE-2018-0020).

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Actions: 
  • After appropriate testing, immediately apply patches provided by Juniper to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.