Juniper Vulnerabilities Missed by a Number of Popular Scanners
Marina Kidron Jan 18, 2019
Vulnerabilities detailed in Juniper’s latest bulletin weren’t picked up quickly enough by some major scanners and the NVD.
Here’s What Happened When Juniper Published its Bulletin
On January 9, Juniper published its scheduled security bulletin which detailed 18 fixes that mostly related to JunOS, the popular enterprise-grade operating system used for Juniper’s routing, switching and security devices. These bulletins might as well have been printed on a red flag. When there are a large number of vulnerabilities present in a system like JunOS, even if there is no indication of an attack exploiting these vulnerabilities just yet, the potential risk is high. This is because devices running this vulnerable OS sit at the heart of the organization’s network traffic.
The timespan between vulnerabilities being published and then potentially turning into exploits is short. It can happen within a matter of hours, as we saw with WebLogic server vulnerabilities during 2018. Which means that rapid remediation should be a clear and urgent priority. In this blog, I’m going to offer advice about how to spot these critical vulnerabilities and explain how Skybox helps you to reach timely fixes.
A Lot of Scanners Missed the Juniper Vulnerabilities
Here’s the bad news if you rely heavily on scanners: it’s likely that Juniper routers and switches are out of your security scanner’s scope. And on the off-chance that they’re not, it’s probable that your scanner will not notice those vulnerable devices for days, or even weeks. As a case in point, and without singling out any particular organization, at the time of writing this blog (a full week after Juniper published its bulletin) the vulnerabilities are still not registered on some of the leading scanners.
If you have no idea that a vulnerability exists, it should go without saying that you can’t do anything to remediate it, which is alarming. When you’re dealing with matters relating to cybersecurity, living in ignorance doesn’t equate to living in bliss.
A large part of Skybox’s power lies in its ability to give enterprises full visibility of all vulnerabilities across even the most fragmented and complicated environments. More than that, it contextualizes all threats. Skybox can see Juniper’s vulnerabilities and can communicate the fact that they need to be remediated quickly.
This context, and top-level understanding, is critically important. If a scanner does have Juniper’s vulnerabilities in its list, it’s wholly possible that a customer won’t be aware of them immediately. They’ll only see them when they scan every single Juniper device in their organization, which might not happen for a few weeks. When you need to act within a matter of hours, waiting even a day is entirely too long.
You Can’t Rely on the NVD
There were 19 advisories published in total which resolved 78 CVEs. Many of these CVEs had arisen from the third-party applications and infrastructure used by Juniper. The applications on this list include OpenSSL, libxml and others. The number of CVEs reported in this instance is not insignificant, but the truth is that many of the CVEs were not registered on the NVD nearly as quickly as they should have been — while NVD is an undeniably useful resource, it’s not the best way to stay on the bleeding edge of news being published about network device vulnerabilities.
That the NVD often operates with a bit of a lag is one of two reasons why you can’t completely rely on it. We can see that there was a delay when we look at the case of CVE-2019-0013. The NVD’s initial analysis was made within a week. Even then, it didn’t include the CVSS score nor CPE of the affected product. The screenshot below shows what we saw when we searched for the CVE ID in the database. Before that, the CVE was simply reserved, with no indication that JunOS was the vulnerable product.
Our view of CVE-2019-0013 in the NVD
The second reason is that it relies on affected product modeling. The NVD only published the CVE once, with the original product. If the vulnerable component is a popular library like OpenSSL, it will be listed as the only affected product. Their product list also isn’t updated as often as it should be, and some of the updates lack the required level of detail.
As a case in point, OpenSSL was affected by CVE-2018-0732. Consequently, many of the products that integrate its popular open-source SSL and TLS protocols were also affected. But the NVD failed to list all affected products which presents some fairly evident issues.
If the NVD is your cybersecurity bible, please take heed. You won’t always get the full picture. Even when you do, it’s possible that you’ll be getting the information that you need to secure your environment far too late. You need a tool that is quicker than the NVD.
What Can Skybox Customers Do to Protect Themselves?
Skybox sees vulnerabilities like those published by Juniper before the NVD does. This is because we follow the vendors which have direct connections with our customers — we get immediate notice of any new vulnerabilities and then share them in the Skybox Vulnerability Dictionary.
Because Skybox is usually connected to the network devices needed for various SPM functionalities, we have the ability to detect vulnerabilities when they are published. This is the case for JunOS: we connected to the operating system, ran the show version command and created vulnerabilities according to the version and the configuration of the actual network device in place.
We have an SLA in place to publish all vulnerabilities which affect enterprise-grade products within 24 hours. These JunOS vulnerabilities were available for our customers on time, allowing customers to apply their patching cycle.
A view of Skybox’s prioritization center, where users get a context-rich view of their top exposed vulnerabilities
TThe Skybox Vulnerability Center also lists many products within popular libraries that are affected by a vulnerability. In the case of CVE-2018-0732,, where OpenSSL was affected, you can see that we also list multiple enterprise-grade products within the library that were also impacted, including IBM AIX, Oracle VirtualBox and Tuxedo, Tenable Nessus, Palo Alto PAN-OS and now Juniper JunOS.We update this list as more enterprise-grade vendors publish a patch, helping to bring a resolution to CVE-2018-0732.
Bleedingbit Vulnerabilities Could Affect Enterprises Worldwide – The Bleedingbit vulnerabilities impact Bluetooth low-energy chips used in millions of wireless access points
Foreshadow Vulnerabilities Impact Siemens Products – Foreshadow, or L1 terminal fault vulnerabilities, in various Siemens industrial products could put the most isolated and secure microprocessor memory at risk