Network time protocol bugs sting Juniper's operating system | 10/11/2018 | Staff
just-mejust-me (Posted by) Level 3
Click For Photo:

It's time for Juniper Networks' semi-regular bugfest, with 22 fixes announced today, two of which carry a “critical” rating and should be applied immediately.

The company's software defined networking-supported NFX Series CPE, if running Junos OS version 18.1, had an insecure default setting in the Juniper Device Manager: CVE-2018-0044 allowed SSH access with an empty password.

Version - Double-check - Accounts - Passwords

If you can't upgrade to version 18.1R4 or 18.2R1 or later, double-check that all accounts have strong passwords.

The other critical-rated announcement was for the Network Time Protocol daemon in all versions of Junos OS. It covers six CVE (Common Vulnerabilities and Exposures) numbers, most of which relate to denial-of-service conditions.

List - Remote - Code - Execution - Bug

The list, however, included one remote code execution bug, CVE-2018-7183, in an array handler. An attacker can exploit a buffer overflow in the decodearr ”by leveraging an ntpq query and sending a response with a crafted array”.

Most of the remaining bugs have a “high” severity rating. The Register's favourite was probably this one: product developers created an undocumented CLI command that can switch on the RSH (remote shell) service and disable the pluggable authentication module (PAM).


Someone who knew...
(Excerpt) Read more at:
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!