kb.juniper.net Open in urlscan Pro
44.239.157.150  Public Scan

Form analysis
1 forms found in the DOM

#

<form action="#" slot="thumbs-icons">
  <span class="thumbs-icons">
    <button onclick="fnAddThumb('up')" disabled="">
      <sw-icon class="swmaterialicon thumbsup">thumbsup</sw-icon>
    </button>
    <p>0</p>
  </span>
  <span class="thumbs-icons">
    <button onclick="fnAddThumb('down')" disabled="">
      <sw-icon class="swmaterialicon thumbsup">thumbsdown</sw-icon>
    </button>
    <p>0</p>
  </span>
</form>

Text Content

 * Login
 * User Registration
 * Login Assistance
 * Edit Account Information
 * Reset Password
 * Change Password
 * Manage Subscriptions

Support Support Downloads Knowledge Base Juniper Support Portal Community


KNOWLEDGE BASE

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect
(KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes lockSign in to
display secure content and recently viewed articlesnavigate_next
 * printer Print
 * border_color Report a Security Vulnerability

2017-01 Security Bulletin: Network and Security Manager (NSM): Multiple OpenSSH
and other third party software vulnerabilities affect NSM Appliance OS.

thumbsup

0

thumbsdown

0

Article ID: JSA10774 SECURITY_ADVISORIES Last Updated: 17 Jan 2017Version: 2.0
Product Affected:

NSM Appliances (NSM3000, NSM4000 and NSMExpress).
Problem:


Vulnerabilities in OpenSSH, Apache HTTP server, Libxml2, Linux Kernel,
PostgreSQL and other third party software potentially affect NSM Appliance OS.

These software packages are updated in the NSM Appliance OS gzip upgrade package
v3 based on CentOS 6. Important security issues resolved as a result of this
upgrade include,

CVE CVSS base score Summary CVE-2015-5600 6.5
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) The kbdint_next_device function
in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the
processing of keyboard-interactive devices within a single connection, which
makes it easier for remote attackers to conduct brute-force attacks or cause a
denial of service (CPU consumption) via a long and duplicative list in the ssh
-oKbdInteractiveDevices option, as demonstrated by a modified client that
provides a different password for each pam element on this list. CVE-2015-6564 7
(CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) Use-after-free vulnerability in
the mm_answer_pam_free_ctx function in monitor.c in sshd in OpenSSH before 7.0
on non-OpenBSD platforms might allow local users to gain privileges by
leveraging control of the sshd uid to send an unexpectedly early
MONITOR_REQ_PAM_FREE_CTX request. CVE-2016-3115 6.4
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) Multiple CRLF injection
vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote
authenticated users to bypass intended shell-command restrictions via crafted
X11 forwarding data, related to the (1) do_authenticated1 and (2)
session_x11_req functions. CVE-2015-5352 3.7
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) The x11_open_helper function in
channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not
used, lacks a check of the refusal deadline for X connections, which makes it
easier for remote attackers to bypass intended access restrictions via a
connection outside of the permitted time window. CVE-2015-6563 2.5
(CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) The monitor component in sshd in
OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in
MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct
impersonation attacks by leveraging any SSH login access in conjunction with
control of the sshd uid to send a crafted MONITOR_REQ_PWNAM request, related to
monitor.c and monitor_wrap.c. CVE-2016-5195 7.8
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Race condition in mm/gup.c in the
Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges
by leveraging incorrect handling of a copy-on-write (COW) feature to write to a
read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty
COW." CVE-2015-5157 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) arch/x86/entry/entry_64.S
in the Linux kernel before 4.1.6 on the x86_64 platform mishandles IRET faults
in processing NMIs that occurred during userspace execution, which might allow
local users to gain privileges by triggering an NMI. CVE-2016-1583 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C) The ecryptfs_privileged_open function in
fs/ecryptfs/kthread.c in the Linux kernel before 4.6.3 allows local users to
gain privileges or cause a denial of service (stack memory consumption) via
vectors involving crafted mmap calls for /proc pathnames, leading to recursive
pagefault handling. CVE-2016-4565 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) The
InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on
the write system call, which allows local users to cause a denial of service
(kernel memory write operation) or possibly have unspecified other impact via a
uAPI interface. CVE-2016-5829 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C) Multiple
heap-based buffer overflows in the hiddev_ioctl_usage function in
drivers/hid/usbhid/hiddev.c in the Linux kernel through 4.6.3 allow local users
to cause a denial of service or possibly have unspecified other impact via a
crafted (1) HIDIOCGUSAGES or (2) HIDIOCSUSAGES ioctl call. CVE-2015-2925 6.9
(AV:L/AC:M/Au:N/C:C/I:C/A:C) The prepend_path function in fs/dcache.c in the
Linux kernel before 4.2.4 does not properly handle rename actions inside a bind
mount, which allows local users to bypass an intended container protection
mechanism by renaming a directory, related to a "double-chroot attack."
CVE-2015-7547 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Multiple stack-based buffer
overflows in the (1) send_dg and (2) send_vc functions in the libresolv library
in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to
cause a denial of service (crash) or possibly execute arbitrary code via a
crafted DNS response that triggers a call to the getaddrinfo function with the
AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS
queries" and the libnss_dns.so.2 NSS module. CVE-2016-1833 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P) The htmlCurrentChar function in libxml2 before
2.9.4, as used in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before
9.2.1, and watchOS before 2.2.1, allows remote attackers to cause a denial of
service (heap-based buffer over-read) via a crafted XML document. CVE-2016-1834
6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Heap-based buffer overflow in the xmlStrncat
function in libxml2 before 2.9.4, as used in Apple iOS before 9.3.2, OS X before
10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1, allows remote attackers to
execute arbitrary code or cause a denial of service (memory corruption) via a
crafted XML document. CVE-2015-5288 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) The crypt
function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19,
9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows
attackers to cause a denial of service (server crash) or read arbitrary server
memory via a "too-short" salt. CVE-2016-5387 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and
therefore does not protect applications from the presence of untrusted client
data in the HTTP_PROXY environment variable, which might allow remote attackers
to redirect an application's outbound HTTP traffic to an arbitrary proxy server
via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the
vendor states "This mitigation has been assigned the identifier CVE-2016-5387";
in other words, this is not a CVE ID for a vulnerability. CVE-2016-0773 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P) PostgreSQL before 9.1.20, 9.2.x before 9.2.15,
9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote
attackers to cause a denial of service (infinite loop or buffer overflow and
crash) via a large Unicode character range in a regular expression.


Please refer to JSA10759 for a list of OpenSSL vulnerabilities resolved.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities
on NSM Appliances.

Solution:


All these issues are resolved in NSM Appliance Upgrade Package v3 based on
CentOS 6 (released January 11, 2017).

OpenSSH upgrade issue is being tracked as PR 1181267 and is visible on the
Customer Support website.

Workaround:

Use access lists or firewall filters to limit access to the NSM Appliance only
from trusted hosts.
Implementation:


NSM Maintenance Releases are available at
http://www.juniper.net/support/downloads/?p=nsm#sw.

Modification History:

2017-01-11: Initial release.
2017-01-17: Solution is now available for download; Updated the list of
important third party software upgraded, and related CVEs.

CVSS Score:

7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Severity Level:

High

Severity Assessment:

Considering the highest score of 7.8 from CVE-2016-5195.
Acknowledgements:

 

Related Links

 * KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
   Publication Process
 * KB16765: In which releases are vulnerabilities fixed?
 * KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
   Advisories
 * Report a Security Vulnerability - How to Contact the Juniper Networks
   Security Incident Response Team

Comment on this article > Affected Products Browse the Knowledge Base for more
articles related to these product categories. Select a category to begin.
 * NSMXpress
 * NSM
 * NSM3000
 * SIRT Advisory

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product
Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices
and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High
Availability Configurator SRX VPN Configurator Training Courses and Videos End
User Licence Agreement Global Search