medium
6.5
CWE
326
Advisory Published
Updated

CVE-2015-5361: Junos: FTPS through SRX opens up wide range of data channel TCP ports

First published: Wed Oct 14 2015(Updated: )

Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. Issue The ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.​ Note that the ftps-extensions option is not enabled by default.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
Juniper JUNOS=12.1x44
Juniper JUNOS=12.1x44-d10
Juniper JUNOS=12.1x44-d15
Juniper JUNOS=12.1x44-d20
Juniper JUNOS=12.1x44-d25
Juniper JUNOS=12.1x44-d30
Juniper JUNOS=12.1x44-d35
Juniper JUNOS=12.1x44-d40
Juniper JUNOS=12.1x44-d45
Juniper JUNOS=12.1x44-d50
Juniper JUNOS=12.1x46
Juniper JUNOS=12.1x46-d10
Juniper JUNOS=12.1x46-d15
Juniper JUNOS=12.1x46-d20
Juniper JUNOS=12.1x46-d25
Juniper JUNOS=12.1x46-d30
Juniper JUNOS=12.1x46-d35
Juniper JUNOS=12.1x46-d10
Juniper JUNOS=12.1x47
Juniper JUNOS=12.1x47-d10
Juniper JUNOS=12.1x47-d15
Juniper JUNOS=12.1x47-d20
Juniper JUNOS=12.3x48
Juniper JUNOS=12.3x48-d10
Juniper JUNOS=12.3x48-d15
Juniper JUNOS=15.1x49
Juniper Srx100
Juniper Srx110
Juniper Srx1400
Juniper Srx1500
Juniper Srx210
Juniper Srx220
Juniper Srx240
Juniper Srx240h2
Juniper Srx300
Juniper Srx320
Juniper Srx340
Juniper Srx3400
Juniper Srx345
Juniper Srx3600
Juniper Srx380
Juniper Srx4000
Juniper Srx4100
Juniper Srx4200
Juniper Srx4600
Juniper Srx5000
Juniper Srx5400
Juniper Srx550
Juniper Srx550 Hm
Juniper Srx550m
Juniper Srx5600
Juniper Srx5800
Juniper Srx650

Remedy

The overall behavior of the FTP ALG with the ftps-extensions option is intended behavior and will not change. The key component to this advisory is increasing user awareness of the wide TCP data channel (gate) creation, allowing creation of any new sessions from client to server, and potential implications where the SRX protects the FTPS server and the server/load-balancer allows the control channel to remain open for an extended period. Investigation into the issue identified two issues applicable to environments where the SRX protects both FTPS clients and servers, as well as uses FTP and FTPS over the same TCP ports to different servers. ​Due to the recent changes of OpenSSL, the FTP ALG without the ftps-extensions option may block FTPS commands over the FTP control channel. This is client and server specific, and was observed with FTPS clients that use recent versions of OpenSSL. This may result in security administrators enabling the ftps-extensions option with the intent of allowing the commands to pass, but inadvertently allowing wide gate creation. This was observed in a configuration with simultaneous FTPS client/server use, with use of the same ports for FTP and FTPS traffic. The ftps-extension option is not supported when the SRX performs a destination NAT of the FTPS server, as the ALG cannot inspect the control channel to modify the server’s IP address signaled to the client. In an environment of simultaneous FTP and FTPS server use with the ftps-extensions option enabled, the gate is created but is generally unusable by the FTPS client. However, an FTPS client with knowledge of the server’s real IP address, its NAT’d IP address, and routing reachability to the server’s real IP address may be able to use the wide gate to reach the FTPS server. The software releases listed below resolves these issues as follows: The FTP ALG without the ftps-extensions option will allow FTPS related commands to pass over the FTP control channel. As the ftps-extension option is not enabled, the wide TCP data channel is not created. If the FTPS server is NAT’d by the SRX (destination or static NAT), the wide TCP data channel is not created.

Remedy

The following software releases have been updated to resolve these specific issues: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3X48-D15, 15.1X49-D10, and all subsequent releases.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability ID?

    The vulnerability ID is CVE-2015-5361.

  • What is the severity of CVE-2015-5361?

    The severity of CVE-2015-5361 is medium (6.5).

  • Which software is affected by CVE-2015-5361?

    Juniper JUNOS 12.1x44, 12.1x46, 12.1x47, 12.3x48, and 15.1x49 are affected by CVE-2015-5361.

  • How does CVE-2015-5361 affect unencrypted FTP traffic?

    CVE-2015-5361 allows the FTP ALG to inspect the unencrypted control channel and open related sessions for the FTP data channel.

  • Is Juniper Srx100 vulnerable to CVE-2015-5361?

    No, Juniper Srx100 is not vulnerable to CVE-2015-5361.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203