Juniper Networks addressed vulnerabilities in multiple products

On 14 July 2021, Juniper Networks (JN) published Security Advisories to address vulnerabilities in multiple products. The most critical of these flaws impact third-party software used in its products. Timely patching is recommended.

Details

• The updates address flaws in Steel-Belted Radius (SBR) Carrier, Contrail Networking, CTPView, Contrail Insights, Junos Space, Junos OS, and Junos OS Evolved among others.

• JN's third-party fixes addressed a number of older vulnerabilities, including:
  • Junos Space version 21.2R1 addressing [CVE-2020-1472], a Netlogon Remote Protocol vulnerability patched in August 2020. CVSS:3.1 score: 10.
  • [CVE-2018-11218], a Memory Corruption flaw in the cmsgpack library fixed in Contrail Networking release 2011. CVSS:3.0 score: 9.8

• Notable flaws in JN products include:
  • CVE-2021-0276, a stack-based Buffer Overflow vulnerability in Juniper Networks SBR Carrier (used by telecom carriers) with EAP (Extensible Authentication Protocol) authentication configured. CVSS:3.1 score: 9.8.
  • CVE-2021-0277, an Out-of-bounds Read vulnerability in Junos OS and Junos OS Evolved that have interfaces with Link Layer Discovery Protocol (LLDP) enabled. CVSS:3.1 score: 8.8

Recommendations

• If you are using any of the vulnerable products, timely implementation of the updates, workarounds, and mitigations from the Juniper Security Advisories is recommended.

References

• Juniper Networks
• The Canadian Centre for Cyber Security