Juniper admins: Grab your bug-zappers and load 22 rounds

Patch flood includes fix for hard-coded creds and access-all-areas XSS firewall flaw

Juniper Networks has released 22 patches and security notices.

To be fair on the Gin Palace, not all of them are self-inflicted: some are catch-ups on patches from open source libraries. These include patches for ISC BIND, the GD graphics library libgd, the NTP (network time protocol) daemon, RPD (the routing protocol daemon), and the like.

If you're running Junos OS in a virtualised environment, patch against CVE-2017-2341. The VM's privileges can be escalated to host-level.

Juniper describes it as an authentication error, and it impacts vSRX and SRX firewall/gateway software, various QFX data centre switches, the ACX backhaul routers, EX 4600 Ethernet switches, and the NFX250 network services platform.

The company's ScreenOS Firewall has multiple cross-site scripting (XSS) bugs in its NetScreen Web user interface.

“A user with the 'security' role can inject HTML/JavaScript content into the management session of other users including the administrator. This enables the lower-privileged user to effectively execute commands with the permissions of an administrator.”

There's a serious security bug on SRX300 security gateways running Junos OS 15.1X49 to 15.1X49-D100.

The slip-up is in its MACsec implementation (MACsec implements encryption between Ethernet switches): if the switch can't establish the secure connection, instead of failing the connection and raising an error, it drops back to an unencrypted link.

Some SRX Series products also have hardcoded credentials in a firewall feature.

If an attacker gets their hands on the credentials, they can get full control over the device.

The full list of 22 patches and bugs is here and here. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017