Wednesday, 9 January 2013

Junos: Enforcement of web-authentication policy stops after deleting client-match statement

Products Affected This issue can affect all SRX Series service gateways with web-authentication policies configured.
Platforms Affected
  • JUNOS 12.x
  • Security
  • JUNOS 11.x
  • JUNOS 10.x
  • SIRT Security Advisory


  • PSN Issue :
    When modifying a web-authentication policy containing a client-match statement, removing the client-match statement causes the web-authentication policy to no longer be enforced. While the control plane configuration will still display as if web-authentication is required (the web-authentication login page still responds and the policies display still reflect the configuration), the actual effective policy that is pushed into the forwarding plane functions like a normal policy without web-authentication. This can cause open access to resources that are assumed to be protected by web-authentication.

    Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

    No other Juniper Networks products or platforms are affected by this issue.


    Solution:
    All Junos OS software releases built on or after 2012-07-12 have fixed this specific issue. Releases containing the fix specifically include: 10.0S27, 10.4S9, 10.4R10, 11.4R1, 12.1R1, and all subsequent releases (i.e. all releases built after 12.1R1).

    Customers can confirm the build date of any Junos OS release by issuing the command 'show version detail'.

    This issue is being tracked as PR 749129 and is visible on the Customer Support website.

    KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

    Workarounds
    Deactivate and re-activate the affected security policy. This will assign a new policy index number and add the correct fw-auth flags in the PFE.

    No comments:

    Post a Comment

    loading...