CISA pulls the fire alarm on Juniper Networks bugs

Juniper Networks has patched critical-rated bugs across its Junos Space, Contrail Networking and NorthStar Controller products that are serious enough to prompt CISA to weigh in and advise admins to update the software as soon as possible.

"CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates," according to the Feds' warning this week.

Key thing here is review: some of these flaws can be exploited to bring down equipment, or allow a rogue non-admin insider to take over a box. Some may not be directly exploitable but present in software within Juniper's products. So, review the risk, and update accordingly.

We'll start with the security holes in Junos Space, the vendor's network management software, which Juniper collectively rated "critical." This is because, unlike the critical flaws detailed in three other security bulletins published this week, we don't know if these particular bugs are already being exploited.

All of the other products' critical security updates note that Juniper is not aware of any malicious exploitation — but that notice is conspicuously absent from the Junos Space flaws and the vendor didn't respond to The Register's inquiries about in-the-wild exploits.

According to the bulletin, which collectively rated 31 Junos Space bugs as critical, the vulns affect several third-party products including nginx resolver, Oracle Java SE, OpenSSH, Samba, the RPM package manager, Kerberos, OpenSSL, the Linux kernel, curl, and MySQL Server.

One of these, tracked as CVE-2021-23017 in nginx resolver, received a CVSS severity score of 9.4 out of 10, and if exploited could allow an attacker to crash the entire system. It "might allow an attacker who is able to forge UDP packets from the DNS server to cause one-byte memory overwrite, resulting in worker process crash or potential other impact," Juniper warned.

The networking and security company also issued an alert about critical vulnerabilities in Junos Space Security Director Policy Enforcer — this piece provides centralized threat management and monitoring for software-defined networks — but noted that it's not aware of any malicious exploitation of these critical bugs.

While the vendor didn't provide details about the Policy Enforcer bugs, they received a 9.8 CVSS score, and there are "multiple" vulnerabilities in this product, according to the security bulletin. The flaws affect all versions of Junos Space Policy Enforcer prior to 22.1R1, and Juniper said it has fixed the issues.

The next group of critical vulnerabilities exist in third-party software used in the Contrail Networking product. In this security bulletin, Juniper issued updates to address more than 100 CVEs that go back to 2013.

Upgrading to release 21.4.0 fixes the Open Container Initiative-compliant Red Hat Universal Base Image container image from Red Hat Enterprise Linux 7 to Red Hat Enterprise Linux 8, the vendor explained in the alert.

• Homeland Security warns: Expect Log4j risks for 'a decade or longer'
• Microsoft's July Patch Tuesday fixes actively exploited bug
• X.org servers update closes 2 security holes, adds neat component tweaks
• Google updates Chrome to squash actively exploited WebRTC Zero Day

And in its fourth critical security bulletin issued this week, Juniper fixed a remote code execution bug, tracked as CVE-2021-23017, that affects its NorthStar Controller product and received a 9.4 CVSS score.

The vendor described it as an "off-by-one error vulnerability." It's in the nginx resolver, used in Juniper's NorthStar Controller product, and if exploited could allow an unauthenticated, remote attacker that can forge UDP packets from the DNS server to again cause a one-byte memory overwrite. This, according to the company, could result in crashing the process or arbitrary code execution. 

Upgrading nginx from 1.18.0 to 1.20.1 fixed this issue.

In addition to the four critical security updates, Juniper also this week issued 24 that it deemed "high severity" for products including Junos OS, Secure Analytics, Identity Management Service, Paragon Active Assurance and Contrail Networking product lines. The Junos OS bug, for instance, can be abused by a logged-in low-level user to gain total control of the system, we note (CVE-2022-22221). ®