CVE-2018-0062 – Junos OS: Denial of Service in J-Web
https://notcve.org/view.php?id=CVE-2018-0062
A Denial of Service vulnerability in J-Web service may allow a remote unauthenticated user to cause Denial of Service which may prevent other users to authenticate or to perform J-Web operations. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D60 on SRX Series; 15.1 versions prior to 15.1R7; 15.1F6; 15.1X49 versions prior to 15.1X49-D120 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D470, 15.1X53-D495 on NFX Series; 16.1 versions prior to 16.1R6; 16.2 versions prior to 16.2R2-S6, 16.2R3; 17.1 versions prior to 17.1R2-S6, 17.1R3; 17.2 versions prior to 17.2R3; 17.3 versions prior to 17.3R2. No other Juniper Networks products or platforms are affected by this issue. Una vulnerabilidad de denegación de servicio (DoS) en el servicio J-Web podría permitir que un usuario remoto no autenticado provoque una denegación de servicio (DoS), lo que evitaría que otros usuarios se autentiquen o realicen operaciones J-Web. Las versiones afectadas de Juniper Networks Junos OS son: 12.1X46 en versiones anteriores a la 12.1X46-D77 en SRX Series; 12.3 en versiones anteriores a la 12.3R12-S10; 12.3X48 en versiones anteriores a la 12.3X48-D60 en SRX Series; 15.1 en versiones anteriores a la 15.1R7; 15.1F6; 15.1X49 en versiones anteriores a la 15.1X49-D120 en SRX Series; 15.1X53 en versiones anteriores a la 15.1X53-D59 en EX2300/EX3400 Series; 15.1X53 en versiones anteriores a la 15.1X53-D67 en QFX10K Series; 15.1X53 en versiones anteriores a la 15.1X53-D234 en QFX5200/QFX5110 Series; 15.1X53 en versiones anteriores a la 15.1X53-D470, 15.1X53-D495 en NFX Series; 16.1 en versiones anteriores a la 16.1R6; 16.2 en versiones anteriores a la 16.2R2-S6, 16.2R3; 17.1 en versiones anteriores a la 17.1R2-S6, 17.1R3; 17.2 en versiones anteriores a la 17.2R3 y 17.3 en versiones anteriores a la 17.3R2. • http://www.securitytracker.com/id/1041860 https://kb.juniper.net/JSA10897 • CWE-20: Improper Input Validation •
CVE-2018-0044 – NFX Series: Insecure sshd configuration in Juniper Device Manager (JDM) and host OS
https://notcve.org/view.php?id=CVE-2018-0044
An insecure SSHD configuration in Juniper Device Manager (JDM) and host OS on Juniper NFX Series devices may allow remote unauthenticated access if any of the passwords on the system are empty. The affected SSHD configuration has the PermitEmptyPasswords option set to "yes". Affected releases are Juniper Networks Junos OS: 18.1 versions prior to 18.1R4 on NFX Series. Una configuración SSHD insegura en Juniper Device Manager (JDM) y el sistema operativo del host en dispositivos Juniper NFX Series podría permitir el acceso remoto no autenticado si cualquiera de las contraseñas en el sistema está vacía. La configuración SSHD afectada tiene la opción PermitEmptyPasswords establecida como "yes". • http://www.securityfocus.com/bid/105565 https://kb.juniper.net/JSA10878 • CWE-287: Improper Authentication •
CVE-2018-0050 – Junos OS: Receipt of a malformed MPLS RSVP packet leads to a Routing Protocols Daemon (RPD) crash.
https://notcve.org/view.php?id=CVE-2018-0050
An error handling vulnerability in Routing Protocols Daemon (RPD) of Juniper Networks Junos OS allows an attacker to cause RPD to crash. Continued receipt of this malformed MPLS RSVP packet will cause a sustained Denial of Service condition. Affected releases are Juniper Networks Junos OS: 14.1 versions prior to 14.1R8-S5, 14.1R9; 14.1X53 versions prior to 14.1X53-D48 on QFX Switching; 14.2 versions prior to 14.1X53-D130 on QFabric System; 14.2 versions prior to 14.2R4. This issue does not affect versions of Junos OS before 14.1R1. Junos OS RSVP only supports IPv4. • http://www.securityfocus.com/bid/106206 http://www.securitytracker.com/id/1041851 https://kb.juniper.net/JSA10884 • CWE-20: Improper Input Validation •
CVE-2018-0051 – Junos OS: Denial of Service vulnerability in MS-PIC, MS-MIC, MS-MPC, MS-DPC and SRX flow daemon (flowd) related to SIP ALG
https://notcve.org/view.php?id=CVE-2018-0051
A Denial of Service vulnerability in the SIP application layer gateway (ALG) component of Junos OS based platforms allows an attacker to crash MS-PIC, MS-MIC, MS-MPC, MS-DPC or SRX flow daemon (flowd) process. This issue affects Junos OS devices with NAT or stateful firewall configuration in combination with the SIP ALG enabled. SIP ALG is enabled by default on SRX Series devices except for SRX-HE devices. SRX-HE devices have SIP ALG disabled by default. The status of ALGs in SRX device can be obtained by executing the command: show security alg status Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77; 12.3X48 versions prior to 12.3X48-D70; 15.1X49 versions prior to 15.1X49-D140; 15.1 versions prior to 15.1R4-S9, 15.1R7-S1; 15.1F6; 16.1 versions prior to 16.1R4-S9, 16.1R6-S1, 16.1R7; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.3 versions prior to 17.3R1-S5, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R2. • http://www.securitytracker.com/id/1041852 https://kb.juniper.net/JSA10885 • CWE-20: Improper Input Validation •
CVE-2018-0048 – Junos OS: Memory exhaustion denial of service vulnerability in Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support.
https://notcve.org/view.php?id=CVE-2018-0048
A vulnerability in the Routing Protocols Daemon (RPD) with Juniper Extension Toolkit (JET) support can allow a network based unauthenticated attacker to cause a severe memory exhaustion condition on the device. This can have an adverse impact on the system performance and availability. This issue only affects devices with JET support running Junos OS 17.2R1 and subsequent releases. Other versions of Junos OS are unaffected by this vulnerability. Affected releases are Juniper Networks Junos OS: 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.2X75 versions prior to 17.2X75-D102, 17.2X75-D110; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R1-S5, 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3; Una vulnerabilidad en el RPD (Routing Protocols Daemon) con soporte para Juniper Extension Toolkit (JET) puede permitir que un atacante no autenticado basado en web provoque una condición severa de agotamiento de memoria en el dispositivo. • http://www.securityfocus.com/bid/105564 http://www.securitytracker.com/id/1041849 https://kb.juniper.net/JSA10882 • CWE-400: Uncontrolled Resource Consumption •