Multiple Vulnerabilities in Juniper Junos OS Could Allow for Remote Code Execution (2019-04)

MS-ISAC ADVISORY NUMBER:

2019-043

DATE(S) ISSUED:

04/12/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Juniper Junos OS, the most severe of which could allow for remote code execution. Junos OS is a FreeBSD-based operating system used in Juniper Networks routers. Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the vulnerable network service, an attacker may be able to install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Juniper Networks Junos OS
• Juniper Identity Management Service prior to 1.1.4
• Juniper Networks Service Insight versions from 15.1R1, prior to 18.R1
• Service Now versions from 15.R1, prior to 18.1R1

RISK:

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Juniper Junos OS, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

• Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access via a terminal page fault and a side-channel analysis. (CVE-2018-3620)
• Systems with microprocessors utilizing speculative execution and address translations may allow unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (CVE-2018-3646)
• Insufficient validation in the ELF header parser could allow a malicious ELF binary to cause a kernel crash or disclose kernel memory. (CVE-2018-6924)
• A certain sequence of valid BGP or IPv6 BFD packets may trigger a stack based buffer overflow in the Junos OS Packet Forwarding Engine manager (FXPC) process on QFX5000 series, EX4300, EX4600 devices. This issue can result in a crash of the fxpc daemon or may potentially lead to remote code execution. (CVE-2019-0008)
• When BGP tracing is enabled an incoming BGP message may cause the Junos OS routing protocol daemon (rpd) process to crash and restart. This can result in extended DoS condition. (CVE-2019-0019)
• On Junos devices with the BGP graceful restart helper mode enabled or the BGP graceful restart mechanism enabled, a BGP session restart on a remote peer that has the graceful restart mechanism enabled may cause the local routing protocol daemon (RPD) process to crash and restart. By simulating a specific BGP session restart, an attacker can cause a prolonged denial of service (DoS). (CVE-2019-0028)
• Specific IPv6 DHCP packets received by the jdhcpd daemon will cause a memory resource consumption issue to occur on a Junos OS device using the jdhcpd daemon configured to respond to IPv6 requests. Once started, memory consumption will eventually impact any IPv4 or IPv6 request serviced by the jdhcpd daemon, thus creating a Denial of Service (DoS) condition to clients requesting and not receiving IP addresses. Additionally, some clients which were previously holding IPv6 addresses will not have their IPv6 Identity Association (IA) address and network tables agreed upon by the jdhcpd daemon after the failover event occurs, which leads to more than one interface, and multiple IP addresses, being denied on the client. (CVE-2019-0031)
• A password management issue exists where the Organization authentication username and password were stored in plaintext in log files. A locally authenticated attacker who is able to access these stored plaintext credentials can use them to login to the Organization(CVE-2019-0032)
• A firewall bypass vulnerability in the proxy ARP service of Juniper Networks Junos OS allows an attacker to cause a high CPU condition leading to a Denial of Service (DoS). (CVE-2019-0033)
• Starting with Junos OS Release 16.1R3, the Junos Telemetry Interface supports Google gRPC remote procedure calls to provision sensors and to subscribe to and receive telemetry data. Configuration files used by gRPC were found to contain hardcoded credentials that could be used by the Junos Network Agent to perform unauthorized read of certain non-critical information. Additionally, APIs exposed via the Juniper Extension Toolkit (JET) may be able to perform non-critical ‘set’ operations on the device. These APIs need the client to be authenticated for which the username/password can be used. (CVE-2019-0034)
• When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. (CVE-2019-0035)
• When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" are silently ignored. No warning is issued during configuration, and the config is committed without error, but the filter criteria will match all packets leading to unexpected results. (CVE-2019-0036)
• In a Dynamic Host Configuration Protocol version 6 (DHCPv6) environment, the jdhcpd daemon may crash and restart upon receipt of certain DHCPv6 solicit messages received from a DHCPv6 client. This can result in a sustained Denial of Service (DoS) to both IPv4 and IPv6 clients. (CVE-2019-0037)
• Crafted packets destined to the management interface (fxp0) of an SRX340 or SRX345 services gateway may create a denial of service (DoS) condition due to buffer space exhaustion. (CVE-2019-0038)
• If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. (CVE-2019-0039)
• On Junos OS, rpcbind should only be listening to port 111 on the internal routing instance (IRI). External packets destined to port 111 should be dropped. Due to an information leak vulnerability, responses were being generated from the source address of the management interface thus disclosing internal addressing and existence of the management interface itself. A high rate of crafted packets destined to port 111 may also lead to a partial Denial of Service (DoS). (CVE-2019-0040)
• On EX4300-MP Series devices with any lo0 filters applied, transit network traffic may reach the control plane via loopback interface (lo0). The device may fail to forward such traffic. (CVE-2019-0041)
• Juniper Identity Management Service (JIMS) for Windows versions prior to 1.1.4 may send an incorrect message to associated SRX services gateways. This may allow an attacker with physical access to an existing domain connected Windows system to bypass SRX firewall policies, or trigger a Denial of Service (DoS) condition for the network. (CVE-2019-0042)
• In MPLS environments, receipt of a specific SNMP packet may cause the routing protocol daemon (RPD) process to crash and restart. This can lead to a denial of service condition. (CVE-2019-0043)
• Receipt of a specific packet on the out-of-band management interface fxp0 may cause the system to crash and restart (vmcore). This can result in a prolonged Denial of Service (DoS). (CVE-2019-0044)

Successful exploitation of the most severe of these vulnerabilities could result in the attacker gaining control of the affected system. Depending on the privileges associated with the vulnerable network service, an attacker may be able to install programs; view, change, or delete data; or create new accounts with full user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate patches provided by Juniper after appropriate testing.
• Verify that no unauthorized system modifications have occurred on the system.
• Monitor intrusion detection systems for any signs of anomalous activity.
• Unless required, limit external network access to affected products.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES: