Juniper Networks has had its first big bug day in months, with 19 patches announced covering everything from third-party package catchups to critical errors in password handling.
For the sake of organisation, let's pick up patches in the Junos OS first (there being so many patches, The Register will focus on those rated "High" and "Critical").
First on the critical list is CVE-2019-0006, which affects Junos OS 14.1X53, 15.1, and 15.1X53 running on EX, QFX and MX units. A crafted HTTP packet can be sent to the target, and this "can result in a crash of the fxpc daemon or may potentially lead to remote code execution".
The software inherited third-party vulnerabilities disclosed in this list of eight CVEs associated with
libxml2, some dating back to 2016, and some of which are rated Critical. Versions from 12.1X46 through to 18.2X75 are affected.
High-rated CVE-2019-0001 affects MX Series devices configured with dynamic VLANs, running Junos OS 16.1 through to 18.2. A malformed packet can trigger "an uncontrolled recursion loop in the Broadband Edge subscriber management daemon (
Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1F, 15.1X49, 15.1X53 are subject to CVE-2019-0003, also rated High. A malicious flowspec BGP update can crash the router daemon.
BGP is also the vector for CVE-2019-0012 (High). If Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, or 18.1 is configured as a VPLS PE (provider edge), an attacker can craft a BGP message to crash the router daemon.
In CVE-2019-0010, crafted HTTP traffic can exhaust the memory of SRX Series devices running Junos OS 12.1X46, 12.3X48, and 15.1X49.
QFX and PTX Series devices running OS 17.2X75, 17.4, 18.1, or 18.2 can be crashed with a malformed J-Flow sampling packet (CVE-2019-0014, High).
Junos OS also inherited a buggy
expat XML parser library from FreeBSD, in versions 12.3, 12.3X48, 14.1X53, 15.1, 15.1F, 15.1X49, 15.1X53, 16.1. Dating back to 2015, in CVE-2015-1283 a remote, unauthenticated attacker can send crafted XML to hose the target with either an out-of-memory condition or buffer overrun.
The other third-party vulnerability inherited by the operating system was in OpenSSL, with two CVEs affecting Junos OS 12.3X48 through to 18.4R1 and all subsequent releases.
OK, I've patched Junos OS. What next?
The company has disclosed that Juniper ATP 5.0.3 and 5.0.4 has a delightful collection of 14 CVEs, including a hardcoded salt for DES password hashing, and four other cases of hardcoded credentials, so that advisory is rated Critical.
Junos Space has multiple CVEs listed here, including a Critical integer overrun in the process browsing
procps-ng library, a directory traversal in the
As well as an SSL protocol fix, the company's Session and Resource Control software has been patched to fix the High-rated CVE-2016-2183, aka "Sweet32", a birthday attack against the DES and Triple-DES ciphers. These are fixed in SRC 4.12.0-R1 and newer versions. ®
It is just over three years since Juniper Networks was caught out by unauthorised code that acted as an effective backdoor to its ScreenOS firewall operating system. The diligent effort that leads to big patch efforts is more to be welcomed than condemned.