Juniper patches high-risk flaws in Junos OS

14.07.2016
Juniper Networks has fixed several vulnerabilities in the Junos operating system used on its networking and security appliances, including a flaw that could allow hackers to gain administrative access to affected devices.

The most serious vulnerability, rated 9.8 out of 10 in the Common Vulnerability Scoring System, is located in the J-Web interface, which allows administrators to monitor, configure, troubleshoot and manage routers running Junos OS. The issue is an information leak that could allow unauthenticated users to gain admin privileges to the device.

The flaw was fixed in Junos OS 12.1X46-D45, 12.1X46-D46, 12.1X46-D51, 12.1X47-D35, 12.3R12, 12.3X48-D25, 13.3R10, 13.3R9-S1, 14.1R7, 14.1X53-D35, 14.2R6, 15.1A2, 15.1F4, 15.1X49-D30 and 15.1R3. A temporary workaround is to disable J-Web or to limit which IP addresses can access the interface.

The company also fixed several vulnerabilities that can lead to denial of service conditions. One of them can be used to crash the kernel of a Junos OS device with a 64-bit architecture by sending a specially crafted UDP packet destined to an interface IP address of the device itself.

Another kernel crash can be triggered with specially crafted ICMP packets sent to Junos OS devices configured with a GRE or IPIP tunnel. The attack requires knowledge of network-specific information.

High-End SRX-Series chassis, configured in either standalone or cluster mode, are susceptible to several denial-of-service conditions if the in-transit traffic matches one or more ALG (application layer gateway) rules.

Another Junos patch fixes a potential networking data leak -- mbuf leak -- when source and destination MAC addresses of Ethernet frames with the EtherType field of IPv6 (0x86DD) are flooded into the VPLS instance.

One interesting patch is for a crypto vulnerability that affects device-to-device communication protocols using IKE/IPsec public-key authentication. It turns out that Junos OS would accept a self-signed certificate as valid if the certificate's issuer name matched one of the valid certificate authority (CA) certificates enrolled in Junos.

Finally, one fix reverts a issue with SRX Series devices that were upgraded to Junos OS 12.1X46. If the devices was upgraded using the "request system software" command with the "partition" option the update might have failed and the devices might have been left in a safe mode authentication state that allows logging in as the root account with no password.

Lucian Constantin

Zur Startseite