Juniper Networks saw a host of severe vulnerabilities in its hardware today. These vulnerabilities threaten to severely affect a network, including threats like Denial of Service, daemon crashes, insecure configurations, kernel crashes and many more. There were a total of 22 vulnerabilities reported on its Knowledge Center. Here is a list of some of them in Juniper’s Junos OS that you need to watch out for.
#1 Receiving a specifically crafted malicious MPLS packet leads to a Junos kernel crash
In Juniper Networks Junos OS, a NULL Pointer Dereference vulnerability allows an attacker to cause the Junos OS kernel to crash. Target victims can be affected by Denial of Service attack just by a single malicious MPLS packet. Continued receipt of this packet will cause a sustained Denial of Service condition.
This issue was encountered during production usage and multiple software have been released to resolve the issue. Many software have also been re-released, while software patches and updates have been made available to sort out the issue. Users are advised to remove MLPS configuration stanza from the interfaces at risk.
#2 Memory exhaustion DOS vulnerability in Routing Protocols Daemon with Juniper Extension Toolkit support
An unauthenticated network based attacker can cause a device to have severe memory exhaustion due to a vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support. This degrades system performance as well as impacts system availability. The issue that was found during internal, product testing, only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. As of today, there are no viable workarounds for this issue.
#3 Multiple vulnerabilities discovered in NTP daemon
This issues discovered in NTP daemon affects all products and platforms running Junos OS.
NTP.org has published security advisories for vulnerabilities resolved in ntpd (NTP daemon). The team has released software patches to resolve the above issues. Users are advised to adopt Standard security best practices (control plane firewall filters, edge filtering, access lists, etc.) to protect against any remote malicious attacks against NTP. Customers who have already applied the workaround described by the team are already protected against any remote exploitation of these vulnerabilities.
#4 Invalid IP/mask learned from DHCP server might cause the device control daemon process crash
The device control daemon process (dcd) of Juniper Networks Junos OS has an improper input validation weakness. This allows an attacker to cause a Denial of Service to the dcd process and interfaces and connected clients when the Junos device is requesting an IP address for itself. The good news is that Junos devices not configured to use DHCP are not vulnerable to this issue. The issue was discovered in the production stage and multiple softwares have been released to resolve the issue.
#5 Stateless IP firewall filter rules stop working after reboot or upgrade
Once the Junos OS device reboots or upgrades, the stateless firewall filter configuration does not work as expected. This vulnerability affects firewall filters for every address family. The affected releases of the Junos OS includes 15.1R4, 15.1R5, 15.1R6 and SRs based on these MRs as well as 15.1X8 versions prior to 15.1X8.3.
The issue was encountered during production stage and doesn’t have any known workarounds.
However, once the issue has occurred, it can be restored by performing “commit full”. The team has released certain softwares to resolve this specific issue.
#6 Credentials exposed when using HTTP and HTTPS Firewall Pass-through User Authentication
When an SRX Series device is configured to use HTTP/HTTPS pass-through authentication services, it can be affected by a man-in-the-middle attack or by authentic servers that have been subverted by malicious actors.
In the initial HTTP/HTTPS session, a client sending authentication credentials is at risk that these credentials may be captured by a malicious hacker during follow-on HTTP/HTTPS requests.This vulnerability does not affect the FTP, and Telnet pass-through authentication services.
The team has updated some software releases to resolve this specific issue. The workaround suggested for this vulnerability is to discontinue the use of HTTP/HTTPS Pass-through Firewall User Authentication. Users are also suggested to use web-redirect when using Pass-through Firewall User Authentication.
#7 jdhcpd process crash during processing of specially crafted DHCPv6 message
A jdhcpd daemon crash can occur after receiving a specially crafted DHCPv6 message destined to a Junos OS device configured as a DHCP server in a Broadband Edge (BBE) environment. A continuous stream of DHCPv6 packets could lead to an extended denial of service condition. Junos OS 15.1 and later are only affected by this issue.
Only if a device has a DHCP service configured, will the devices be vulnerable to the DHCPv6 message. The team has released software to resolve this specific issue.
A workaround to this vulnerability would be to disable DHCP services if they are not needed.
#8 A local authentication vulnerability may lead to full control of a vSRX instance while the system is booting.
Junos OS on vSRX Series has a authentication bypass vulnerability in the initial boot sequence. This may allow an attacker to gain full control of the system without authentication when the system initially boots up. The following software releases have been updated to resolve this specific issue: Junos OS 15.1X49-D30, and all subsequent releases.
As such, there are no viable workarounds for this issue.
Methods which may reduce, but not eliminate, the risk of exploitation of this problem, include:
Restricting access to the hypervisor to only trusted administrators and disallowing all access to the “physical instance” of the vSRX instance while it is initially booting. This can be done by disabling connectivity to devices hosting the instance.
#9 Unauthenticated remote root access possible when RSH service is enabled
A remote unauthenticated attacker can obtain root access to the device if RSH service is enabled on Junos OS and if the PAM authentication is disabled. By default, the RSH service is disabled on Junos. An undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access.
This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. This issue only affects configurations where RSH service is enabled and the PAM authentication is disabled.
The team suggests that users should ensure there is no RSH service listening on port 514. They also suggest Utilizing common security BCPs to limit the exploitable surface by limiting access to network and device to trusted systems, administrators, networks and hosts.
#10 Receiving a malformed MPLS RSVP packet leads to a Routing Protocols Daemon crash
A attacker can easily cause the RPD to crash because of an error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS. Continuously receiving this malformed MPLS RSVP packet will cause a sustained Denial of Service condition.
This issue does not affect versions of Junos OS before 14.1R1. The team has updated the following software releases to resolve this specific issue: 14.1R8-S5, 14.1R9, 14.1X53-D130, 14.1X53-D48, 14.2R4, 15.1R1, and all subsequent releases. The team suggests removing the MPLS configuration stanzas from interface configurations that are at risk.
These are just some of the vulnerabilities that can affect the Junos OS. To know more about the other vulnerabilities reported, head over to Juniper Networks official site.