Juniper this week issued security advisories that lay out details on more than 230 vulnerabilities, about 200 of which security pros say impact third-party components.
The networking vendor patched roughly two dozen of the vulnerabilities, all of which could potentially be leveraged for distributed denial of service (DDoS) attacks.
That’s part of the reason the Cybersecurity and Infrastructure Security Agency (CISA) posted a notice on these patches with a link to the Juniper site. Only three of the vulnerabilities were rated critical — and there’s no indication that any were exploited in the wild.
Juniper’s recently disclosed list security advisories cover 28 individual CVEs and four advisories that encompass an additional 203 CVEs, explained Tim Silverline, vice president of security at Gluware. Silverline said the average CVSS score of the disclosed vulnerabilities is about 7.0.
Silverline said a large majority of the disclosures are related to DDoS impact vulnerabilities, which means that an adversary could disrupt service by locking up a device or forcing a reboot.
“None of them appear to be remote code execution (RCE) vulnerabilities, which limits the potential impact although some of the vulnerabilities appear to allow arbitrary files to be written to systems which could potentially later be used to coordinate RCE attack by chaining together multiple exploits,” said Silverline.
Silverline added that as with any vulnerability disclosure, customers should look to upgrade all impacted systems, but in this case concentrate on addressing the three biggest multiple vulnerability disclosures: upgrade Contrail Cloud to release 13.7.0, Junos Space to release 22.3R1, and Contrail Service Orchestration to release 6.3.0 as Silverline said these three moves will mitigate 201 of the disclosed vulnerabilities and all of the ones that allow for arbitrary files to be written.
John Steven, chief technology officer at ThreatModeler, said security pros can expect to see more of this behavior out of vendors, particularly since recent regulatory pressure has built around software bill of materials and third-party risk. Steven said if a solid percentage of their code base is OSS, it’s not surprising that this is where most of the defects will be found — once they overturn those stones.
“What’s interesting here is how regulation may shift the open-source security posture and how it’s achieved,” Steven said. ”Will mature security vendors with solid secure software/product development lifecycles need to play a bigger part in maintaining key OSS frameworks for the sake of their own products’ posture? It’s certainly the case that not all OSS maintainers have the bandwidth nor the expertise to handle the coming stampede of remediation requests. The question is: will help be offered and welcomed?”
Andrew Barratt, vice president at Coafire, added that while there’s a lot of volume in terms of the number of advisories, it could indicate a really mature process, particularly when considering the depth of third-party components that have been evaluated.
Barratt said the infosec community tends to come down hard when security vendors announce a catalogue of issues, but collectively it needs to start applauding them for taking the process seriously.
“There are countless instances of vendors having poor responses to security issues,” Barratt said. “Juniper appears to have really put some resources into this process. This is a good example that large enterprises should take forward when they look at their line-of-business application landscape. All the tools they build to create value — probably have large swathes of third-party issues that would be uncovered by a good application security program.”