Security Advisory Roll Up: Week Ending November 4, 2022

Out-of-Cycle Juniper Security Advisory Released
Cisco Releases Security Updates for Multiple Products
OpenSSL Releases Security Update
Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies
VMware Releases Security Updates

_______________________________

Out-of-Cycle Juniper Security Advisory Released

Situation:
High severity security issues resolved in OpenSSL 3.0.7 (CVE-2022-3602, CVE-2022-3786)

Problem:
Multiple buffer overrun vulnerabilities in OpenSSL 3.0 prior to OpenSSL 3.0.7 can be triggered in X.509 certificate verification, specifically in name constraint checking.

These issues affect Juniper Networks Junos OS Evolved versions later than 22.1R1-EVO.

These issues do not affect:

Juniper Networks Junos OS Evolved versions prior to 22.1R1-EVO;
Juniper Networks Junos OS;
Juniper Networks Mist;
Juniper Networks CTPOS;
Juniper Networks CTPView;
Juniper Networks 128T (Session Smart Router);
Juniper Networks SBR Carrier;
Juniper Networks Paragon Active Assurance (formerly Netrounds).

It also only affects OpenSSL 3.0.0 and later releases. Earlier versions, such as OpenSSL 0.9.x, 1.0.x and 1.1.x, are unaffected by these vulnerabilities.

Other products and platforms are still under investigation.

Implication:
An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the `.’ character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.

Need:
Software will be updated to resolve these two issues by upgrading OpenSSL to 3.0.7 in all affected product, platforms, and releases.

Until the updates are released, we recommend that, since SSL is used for remote network configuration and management applications such as J-Web and SSL Service for JUNOScript (XNM-SSL), viable workarounds for this issue in Junos OS Evolved may include:

Disabling J-Web
Disable SSL service for JUNOScript and only use Netconf, which makes use of SSH, to make configuration changes
Limit access to J-Web and XNM-SSL from only trusted networks

Due to the nature of this specific vulnerability, in addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit management access to the device via only from trusted, administrative networks or hosts.

Additional Resources:

2022-11 Out of Cycle Security Bulletin:
https://supportportal.juniper.net/s/article/2022-11-Out-of-Cycle-Security-Bulletin-High-severity-security-issues-resolved-in-OpenSSL-3-0-7-CVE-2022-3602-CVE-2022-3786?language=en_US

CVE-2022-3602

https://www.cve.org/CVERecord?id=CVE-2022-3602

CVE-2022-3786:

https://www.cve.org/CVERecord?id=CVE-2022-3786

________________________________

Cisco Releases Security Updates for Multiple Products

Situation:
Cisco has released security updates for multiple products.

Problem:
Multiple current versions of Cisco products contain vulnerabilities.

Implication:
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Need:
We encourage users and administrators to review the advisories and apply the necessary updates, per Cisco’s recommendations.

Additional Resources:

CISA Security Advisory page:
https://www.cisa.gov/uscert/ncas/current-activity/2022/11/03/cisco-releases-security-updates-multiple-products

Cisco Security Advisory page:

https://tools.cisco.com/security/center/publicationListing.x

Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-openssl-W9sdCc2a

________________________________

OpenSSL Releases Security Update

Situation:
OpenSSL has released a security advisory to address two vulnerabilities, CVE-2022-3602 and CVE-2022-3786, affecting OpenSSL versions 3.0.0 through 3.0.6.

Problem:
Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service.

Implication:
A buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution

Need:
We encourage users and administrators to review the OpenSSL advisory, blog, OpenSSL 3.0.7 announcement, and upgrade to OpenSSL 3.0.7.

Additional Resources:

CISA security advisory:
https://www.cisa.gov/uscert/ncas/current-activity/2022/11/01/openssl-releases-security-update

2022 OpenSSL vulnerability – CVE-2022-3602 GitHub repository:

https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md

Open SSL 3.0.7 Announcement:

https://mta.openssl.org/pipermail/openssl-announce/2022-November/000241.html

________________________________

Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies

Situation:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released Understanding and Responding to Distributed Denial-of-Service Attacks to provide organizations proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.

Problem:
The guidance is for both network defenders and leaders to help them understand and respond to DDoS attacks

Implication:
DDoS attacks can cost an organization time, money, and reputational damage.

Need:
Concurrently, CISA has released Capacity Enhancement Guide (CEG): Additional DDoS Guidance for Federal Agencies, which provides federal civilian executive branch (FCEB) agencies additional DDoS guidance, including recommended FCEB contract vehicles and services that provide DDoS protection and mitigations.

We encourage all network defenders and leaders to review: