Monster patch day for Juniper customers
Nine advisories landed today
Clear the diaries, Juniper sysadmins, a van-load of patches landed today.
I suggest you join me in getting a coffee and settling in while we go through the list. The security fixes cover six fixes to Junos, one for the company’s EX Series switches, BIND fixes for SRX, vSRX and J-Series units, and multiple fixes for the NorthStar controller.
Ready? Let’s go.
BIND: Junos OS on SRX, vSRX and J-Series has been upgraded to tick the boxes on five vulnerabilities.
All four CVEs (CVE-2016-2776, CVE-2016-8864, CVE-2016-9131, CVE-2016-9147 and CVE-2016-9444) offer attackers a shot at hosing the vulnerable boxes if they’re running the DNS proxy service.
IPv6 ND advertisement handling: Any Juniper M or MX router running Junos OS with DCHPv6 can have its packet forwarding engine (PFE) crashed.
Keyboard driver overflow: Yes, you read that right. To quote from the advisory: “Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.”
That ends in privilege escalation, and affects any product or platform running Junos OS.
NorthStar Controllers: Controllers running versions older than 2.1.0 Service Pack 1 need to upgrade to protect against nine third-party bugs.
These include fixes to BIND, Qemu’s floppy disc controller and PCNET controller, Node.js’s HTTP server, Linux and Xen’s KVM subsystems, and the 2015-era “Bar Mitzvah” bug in the RC4 algorithm (which reasonable people probably assumed was dead and gone).
There’s also a long list of Juniper-specific bugs fixed in the NorthStar Controller application.
Even more denial of service: A crafted BGP update can crash Junos OS 15.1 or later on any platform.
Also, anything running unpatched Junos OS with LDP enabled can be hosed by a crafted packet.
NTP: Junos has also been hardened against a bunch of 2016-era Network Time Protocol bugs.
NDP: Finally, EX Series switches running IPv6 are vulnerable to a crafted Neighbour Discovery Packet. A memory leak means attackers can packet-flood the units, leading to “resource exhaustion and a denial of service.”
Phew. It’s probably time for another coffee now. Or perhaps some gin. ®