Juniper admins: Grab your bug-zappers and load 22 rounds
Patch flood includes fix for hard-coded creds and access-all-areas XSS firewall flaw
Juniper Networks has released 22 patches and security notices.
To be fair on the Gin Palace, not all of them are self-inflicted: some are catch-ups on patches from open source libraries. These include patches for ISC BIND, the GD graphics library
libgd, the NTP (network time protocol) daemon, RPD (the routing protocol daemon), and the like.
If you're running Junos OS in a virtualised environment, patch against CVE-2017-2341. The VM's privileges can be escalated to host-level.
Juniper describes it as an authentication error, and it impacts vSRX and SRX firewall/gateway software, various QFX data centre switches, the ACX backhaul routers, EX 4600 Ethernet switches, and the NFX250 network services platform.
The company's ScreenOS Firewall has multiple cross-site scripting (XSS) bugs in its NetScreen Web user interface.
There's a serious security bug on SRX300 security gateways running Junos OS 15.1X49 to 15.1X49-D100.
The slip-up is in its MACsec implementation (MACsec implements encryption between Ethernet switches): if the switch can't establish the secure connection, instead of failing the connection and raising an error, it drops back to an unencrypted link.
Some SRX Series products also have hardcoded credentials in a firewall feature.
If an attacker gets their hands on the credentials, they can get full control over the device.