Juniper fixes 30+ vulnerabilities in its routing, switching devices

Juniper Networks has issued fixes for over thirty vulnerabilities affecting its routing, switching and security products running Junos OS.

Juniper vulnerabilities

Critical issues fixed

CVE-2018-0044 is an insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices, which may allow remote unauthenticated access if any of the passwords on the system are empty.

If users can’t update to version 18.1R4 (and later), which set the PermitEmptyPasswords option to no by default, they can either make sure that all the accounts are configured with a password or change the aforementioned option to no.

Juniper has also fixed six CVE-numbered vulnerabilities in ntpd (NTP daemon), most of which can cause a DoS condition.

CVE-2018-7183 is the most critical of the batch – a buffer overflow that could allow remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. To plug these holes, users can update the OS or implement an array of security best practices that can protect against any remote malicious attacks against NTP (they should do the latter anyway).

High risk vulnerabilities

Of the high risk issues fixed, some deserve to be singled out.

CVE-2018-0049 can lead to a Junos OS kernel to crash and, therefore, Denial of Service, if the device receives a specifically crafted malicious MPLS packet on an interface configured to receive this type of traffic. Continued receipt of such a packet will cause a sustained Denial of Service condition.

“Juniper SIRT is aware of possible malicious network probing which may have triggered this issue, but not aware of any malicious exploitation of this vulnerability,” the company noted.

CVE-2018-0047 is a XSS vulnerability in the UI framework used by Junos Space Security Director that may allow authenticated users to inject persistent and malicious scripts.

CVE-2018-0052 allows unauthenticated remote root access to a vulnerable device only if the RSH service is enabled and the PAM authentication disabled.

“RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514,” the company explained. The fixed version of the software removes the undocumented CLI option.