Juniper bleeding data and money: slaps Band-Aids all over Junos OS and warns markets

Security fixes for privilege escalation, DoS, TLS spoofing and more

Juniper's code reviewers have been hard at work, and have shipped a bunch of security bug-fixes.

First up: the company has turned up a bunch of Junos OS privilege escalation vulnerabilities that need patching. As the advisory states, CVE-2016-1271 covers a set of CLI commands that can be exploited to get root access to the affected system.

As well as patching vulnerable systems, Juniper reminds sysadmins that CLI access should always be restricted to trusted hosts (as well as highly trusted sysadmins).

Updated Junos OS versions listed in the advisory are “Junos OS 12.1X46-D45, 12.1X47-D30, 12.3R11, 12.3X48-D25, 13.2R8, 13.3R7, 14.1R6, 14.2R4, 15.1R1, 15.1F2, 15.1X49-D15 and all subsequent releases”.

Another fix for Junos OS gets rid of a BGP processing bug (CVE-2016-1270) that can crash the RPD daemon (but is only exploitable from inside the network).

The company's also rolled out a fix to a bunch of bugs in curl and libcurl. Of the 11 issues the company's reported in the advisory, only three have CVSS (common vulnerability scoring system) scores higher than 5:

  • CVE-2015-3144 – a denial-of-service (DoS) bug in hostname processing;
  • CVE-2015-3145 – another DoS bug, this time in cookie sanitisation; and
  • CVE-2015-3145 – a bug in libcurl's DarwinSSL implementation that could permit TLS spoofing.

Worth an honourable mention is a fix for Junos OS running on QFX switches. Juniper's product testing has discovered that the random number generators on the switches have insufficient entropy. If you're getting your random numbers from the switches, run the patch.

It would seem that last year's “unauthorised code” incident has given serious impetus to Juniper's code reviewers.

Those incidents, and general softness in the networking market, have seen the company warn US markets it's bracing for a disappointing March quarter.

When it announced its final quarter results for 2016, the gin palace warned that although it beat expectations for 2015, it forecast headwinds for the start of 2016.

Things have turned out worse than the company expected: its January guidance for the quarter was that revenue would be between US$1.15 billion and $1.19 billion. It now says the quarter will come in at between $1.09 to $1.1 billion.

Customers' upgrade cycles are troublesome things, and kit-sellers all over are suffering slow sales in troubled economies like Russia, Latin America and China. ®

Similar topics


Send us news

Other stories you might like