=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN442
_____________________________________________________________________

DATE                      : 09/11/2010

HARDWARE PLATFORM(S)      : Juniper Secure Access Series.

OPERATING SYSTEM(S)       : IVE OS versions prior to 6.5r7, 7.0r3.

======================================================================
http://www.zerodayinitiative.com/advisories/ZDI-10-231/
______________________________________________________________________

Juniper Secure Access Series meeting_testjava.cgi XSS Vulnerability
ZDI-10-231: November 7th, 2010

CVSS Score

      6.4, (AV:N/AC:L/Au:N/C:P/I:P/A:N)

Affected Vendors

      Juniper

Affected Products

      Secure Access Series

TippingPoint IPS Customer Protection
TippingPoint IPS customers are protected against this vulnerability by Digital
Vaccine protection filter ID 10605. For further product information on the
TippingPoint IPS:

      http://www.tippingpoint.com

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Juniper SA Series devices. Authentication is not
required to exploit this vulnerability.

The specific flaw exists within the meeting_testjava.cgi page which is used to
test JVM compatibility. When handling the DSID HTTP header the code allows an
attacker to inject arbitrary javascript into the page. This can be abused by an
attacker to perform a cross-site scripting attack on the device.
Vendor Response
Juniper states:

Development has confirmed that the fix to this issue will be available in IVE
OS versions 6.5r7 and 7.0r3. Both IVE OS 6.5r7 and 7.0r3 are planned to be
available to customers in early November 2010.

Customers can sign up for proactive alerts of IVE OS software releases by
visiting the Juniper Networks Support Center and selecting "Subscribe to Email
Alerts" under Technical Bulletins.

Disclosure Timeline

      2010-10-15 - Vulnerability reported to vendor
      2010-11-07 - Coordinated public release of advisory

Credit
This vulnerability was discovered by:

      Davy Douhine

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================