The network supplier Juniper has published 25 security reports on vulnerabilities in its own products. The developers classify one vulnerability as critical, it allows attackers from the network to inject and execute malicious code. Another ten gaps are considered high risk.
Juniper: Fixed critical gap
The vulnerability classified as critical can be found in Juniper Secure Analytics (JSA). Apache Commons Text is used in it to carry out so-called “variable interpolation” for further evaluation. Up to and including version 1.9, Apache Commons Text contained a critical vulnerability that could be exploited to execute arbitrary code. Juniper Networks Security Threat Response Manager (STRM) close the gap from the version 7.5.0UP4.
In JunosOS Evolved authenticated attackers with low privileges could have injected commands. Another high-risk vulnerability also allowed them to copy potentially malicious files into Docker containers due to improper permissions assignments, which an administrator unintentionally marked as root could perform.
Other gaps also apply Junos OS and Paragon Active Assurance (PAA). IT managers should check the security notifications to see whether they relate to the devices and software versions they use and apply the available updates.
Juniper’s April security alerts, sorted by severity:
- JSA Series: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults (CVE-2022-42889, CVSS 9.8Risk “critical“)
- Junos OS Evolved: Shell Injection vulnerability in the gNOI server (CVE-2023-28983, CVSS 8.8, hoch)
- Junos OS Evolved: Docker repository is world-writeable, allowing low-privileged local user to inject files into Docker containers (CVE-2023-28960, CVSS 8.2, hoch)
- Junos OS Evolved: Local low-privileged user with shell access can execute CLI commands as root (CVE-2023-28966, CVSS 7.8, hoch)
- Junos OS and Junos OS Evolved: In a BGP rib sharding scenario when a route is frequently updated an rpd memory leak will occur (CVE-2023-28982, CVSS 7.5, hoch)
- Junos OS and Junos OS Evolved: Malformed BGP flowspec update causes RPD crash (CVE-2023-28964, CVSS 7.5, hoch)
- Junos OS: MX Series: If a specific traffic rate goes above the DDoS threshold it will lead to an FPC crash (CVE-2023-28976, CVSS 7.5, hoch)
- Junos OS and Junos OS Evolved: An attacker sending genuine BGP packets causes an RPD crash (CVE-2023-28967, CVSS 7.5, hoch)
- Junos OS: MX Series: In a BBE scenario upon receipt of specific malformed packets from subscribers the process bbe-smgd will crash (CVE-2023-28974, CVSS 7.4, hoch)
- Paragon Active Assurance: Enabling the timescaledb enables IP forwarding (CVE-2023-28971, CVSS 7.2, hoch)
- Junos OS Evolved: The ‘sysmanctl’ shell command allows a local user to gain access to some administrative actions (CVE-2023-28973, CVSS 7.1, hoch)
- Junos OS: NFX Series: ‘set system ports console insecure’ allows root password recovery (CVE-2023-28972, CVSS 6.8, middle)
- Junos OS: Multiple vulnerabilities in J-Web (CVE-2023-28962+CVE-2023-28963, CVSS laut Juniper 6.5, middle)
- Junos OS and Junos OS Evolved: If malformed IPv6 router advertisements are received, memory corruption will occur which causes an rpd crash (CVE-2023-28981, CVSS 6.5, middle)
- Junos OS: QFX10002: PFE wedges and restarts upon receipt of specific malformed packets (CVE-2023-28959, CVSS 6.5, middle)
- Junos OS: QFX10002: Failure of storm control feature may lead to Denial of Service (CVE-2023-28965, CVSS 6.5, middle)
- Junos OS: JRR200: Kernel crash upon receipt of a specific packet (CVE-2023-28970, CVSS 6.5, middle)
- Junos OS: QFX10000 Series, PTX1000 Series: The dcpfe process will crash when a malformed ethernet frame is received (CVE-2023-1697, CVSS 6.5, middle)
- Junos OS: ACX Series: IPv6 firewall filter is not installed in PFE when “from next-header ah” is used (CVE-2023-28961, CVSS 5.8, middle)
- Junos OS and Junos OS Evolved: In a BGP rib sharding scenario an rpd crash will happen shortly after a specific CLI command is issued (CVE-2023-28980, CVSS 5.5, middle)
- Junos OS: QFX Series: The PFE may crash when a lot of MAC addresses are being learned and aged (CVE-2023-28984, CVSS 5.3, middle)
- Junos OS Evolved: Read access to some confidential user information is possible (CVE-2023-28978, CVSS 5.3, middle)
- Junos OS: SRX Series: Policies that rely on JDPI-Decoder actions may fail open (CVE-2023-28968, CVSS 5.3, middle)
- Junos OS: In a 6PE scenario upon receipt of a specific IPv6 packet an integrity check fails (CVE-2023-28979, CVSS 4.7, middle)
- Junos OS: The kernel will crash when certain USB devices are inserted (CVE-2023-28975, CVSS 4.6, middle)
IT managers should install the updates quickly. Since some of the vulnerabilities closed are critical or high-risk, this reduces the attack surface.
Most recently, a major update wave from Juniper Networks took place in January. Here, too, the manufacturer has plugged dozens of security gaps in the products, some of which were critical.
(dmk)
