Network time protocol bugs sting Juniper's operating system

www.theregister.co.uk | 10/11/2018 | Staff
just-me (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2018/10/10/shutterstock_juniper_valentina_razumova.jpg

It's time for Juniper Networks' semi-regular bugfest, with 22 fixes announced today, two of which carry a “critical” rating and should be applied immediately.

The company's software defined networking-supported NFX Series CPE, if running Junos OS version 18.1, had an insecure default setting in the Juniper Device Manager: CVE-2018-0044 allowed SSH access with an empty password.

Version - Double-check - Accounts - Passwords

If you can't upgrade to version 18.1R4 or 18.2R1 or later, double-check that all accounts have strong passwords.

The other critical-rated announcement was for the Network Time Protocol daemon in all versions of Junos OS. It covers six CVE (Common Vulnerabilities and Exposures) numbers, most of which relate to denial-of-service conditions.

List - Remote - Code - Execution - Bug

The list, however, included one remote code execution bug, CVE-2018-7183, in an array handler. An attacker can exploit a buffer overflow in the decodearr ”by leveraging an ntpq query and sending a response with a crafted array”.

Most of the remaining bugs have a “high” severity rating. The Register's favourite was probably this one: product developers created an undocumented CLI command that can switch on the RSH (remote shell) service and disable the pluggable authentication module (PAM).

Someone

Someone who knew...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!