It's time for Juniper Networks' semi-regular bugfest, with 22 fixes announced today, two of which carry a “critical” rating and should be applied immediately.
The company's software defined networking-supported NFX Series CPE, if running Junos OS version 18.1, had an insecure default setting in the Juniper Device Manager: CVE-2018-0044 allowed SSH access with an empty password.
If you can't upgrade to version 18.1R4 or 18.2R1 or later, double-check that all accounts have strong passwords.
The other critical-rated announcement was for the Network Time Protocol daemon in all versions of Junos OS. It covers six CVE (Common Vulnerabilities and Exposures) numbers, most of which relate to denial-of-service conditions.
The list, however, included one remote code execution bug, CVE-2018-7183, in an array handler. An attacker can exploit a buffer overflow in the
decodearr ”by leveraging an
ntpq query and sending a response with a crafted array”.
Most of the remaining bugs have a “high” severity rating. The Register's favourite was probably this one: product developers created an undocumented CLI command that can switch on the RSH (remote shell) service and disable the pluggable authentication module (PAM).
Juniper pours a shot of its data centre juice into campus networksREAD MORE
Someone who knew the secret command could expose the system to unauthenticated root access over port 514, and the bug affected Junos OS versions from 12.1X46 though 18.2X75.
There's a routing protocol daemon crash, CVE-2018-0043, that Juniper engineers are concerned may leave a system vulnerable to remote code execution if an attacker sends a crafted MPLS packet over either IPv4 or IPv6. An attacker can only target systems from within the MPLS domain.
Affected Junos OS systems are in versions from 12.1X46 through 17.4.
CVE-2018-0048 also hit the routing protocol daemon, this time in the Juniper Extension Toolkit SDK.
The Draft-Rosen multicast VPN (MVPN) implementation in Junos OS from 12.1X46 through to 18.1 could be crashed by a control packet, in a bug assigned CVE-2018-0045. Once again, it can only be attacked from within the MPLS domain.
The Junos Space network management platform has been patched against multiple CVEs, mostly affecting OpenSSH before version 7.4, and covered by this advisory.
The company's SIP application layer gateway on SRX-HE gateways had a bunch of processes an attacker can crash in CVE-2018-0051 – you can grab updates or disable the vulnerable feature.
The other dozen bugs carry a medium rating – the full list is here. ®