Multiple Vulnerabilities in Juniper Products Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2018-112
Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
There are currently no reports of these vulnerabilities being exploited in the wild.
- All products and platforms running Junos OS
- ScreenOS 6.3.0 versions prior to 6.3.0r26
- Junos Space Security Director prior to 17.2R1
- Junos Space Network Management Platform prior to 18.2R1
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Multiple vulnerabilities have been discovered in Juniper products, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:
- Receipt of a specific MPLS packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. This issue can only be exploited from within the MPLS domain. (CVE-2018-0043)
- An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty when the SSHD configuration has the PermitEmptyPasswords option set to "yes”. (CVE-2018-0044)
- Receipt of a specific Draft-Rosen MVPN control packet may cause the routing protocol daemon (RPD) process to crash and restart or may lead to remote code execution. (CVE-2018-0045)
- Multiple vulnerabilities have been resolved in the Junos Space Network Management Platform 18.2R1 release. (CVE-2016-10009, CVE-2016-10010, CVE-2016-10011, CVE-2016-10012, CVE-2017-15906, CVE-2018-0046)
- Cross-site scripting vulnerability in the UI framework used by Junos Space Security Director may allow authenticated users to inject persistent and malicious scripts. (CVE-2018-0047)
- Memory exhaustion denial of service vulnerability in Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support. (CVE-2018-0048)
- NULL Pointer Dereference vulnerability in Juniper Networks Junos OS allows an attacker to cause the Junos OS kernel to crash when processing a specially crafted malicious MPLS packet. A single packet received by the target victim will cause a Denial of Service condition. The packet must be received on an interface configured to receive this type of traffic. (CVE-2018-0049)
- Error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. (CVE-2018-0050)
- Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process when used in NAT or stateful firewall configurations with SIP ALG enabled. (CVE-2018-0051)
- Unauthenticated remote root access possible when RSH service is enabled and PAM authentication is disabled. (CVE-2018-0052)
- Authentication bypass vulnerability in the initial boot sequence of Juniper Networks Junos OS on vSRX Series may allow an attacker to gain full control of the system without authentication when the system is initially booted up. (CVE-2018-0053)
- On QFX5000 Series and EX4600 switches, a high rate of Ethernet pause frames or an ARP packet storm received on the management interface (fxp0) can cause egress interface congestion, resulting in routing protocol packet drops, such as BGP, leading to peering flaps. (CVE-2018-0054)
- Receipt of a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment may result in a jdhcpd daemon crash. (CVE-2018-0055)
- L2ALD daemon may crash if a duplicate MAC is learned by two different interfaces when the l2-backhaul VPN is configured. (CVE-2018-0056)
- Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50(Requested IP Address) which could result in unauthorized information disclosure or denial of service for valid subscribers. (CVE-2018-0057)
- In BBE configurations, receipt of a specially crafted IPv6 exception packet, Broadband Edge (BBE) client route, causes a Denial of Service. (CVE-2018-0058)
- A persistent cross-site scripting vulnerability in the graphical user interface of ScreenOS may allow a remote authenticated user to inject web script or HTML and steal sensitive data and credentials from a web administration session, possibly tricking a follow-on administrative user to perform administrative actions on the device. (CVE-2018-0059)
- An improper input validation weakness in the device control daemon process (dcd) of Juniper Networks Junos OS allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. (CVE-2018-0060)
- Denial of service vulnerability in the telnetd service on Junos OS allows remote unauthenticated users to cause high CPU usage which may affect system performance. (CVE-2018-0061)
- Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. (CVE-2018-0062)
- Multiple vulnerabilities in the ntpd (NTP daemon) of Juniper Products running Junos OS where the most severe of these vulnerabilities may allow arbitrary code execution. (CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7184, CVE-2018-7185, CVE-2018-7183)
- Vulnerability in the IP next-hop index database in Junos OS 17.3R3 may allow a flood of ARP requests, sent to the management interface, to exhaust the private Internal routing interfaces (IRIs) next-hop limit. Once the IRI next-hop database is full, no further next hops can be learned and existing entries cannot be cleared, leading to a sustained denial of service (DoS) condition. (CVE-2018-0063)
Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
We recommend the following actions be taken:
- Apply appropriate patches provided by Juniper to vulnerable systems immediately after appropriate testing.
- Disable all unnecessary services.
- Restrict access to devices and applications from only authorized users and hosts.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.