Junos Local Patch Checking Support Added to Nessus

Tenable has authored a collection of plugins to identify Juniper Junos devices and perform local patch checking. By providing SSH or SNMP credentials, Nessus will log into a device running Junos and check for missing patches, such as:

• Junos J-Web Weak SSL Ciphers (PSN-2011-01-147)
• Junos debug.php Unauthenticated Debug Access (PSN-2011-02-158)
• Junos 11.1R1 on EX Series Switches Causes Multiple sfid Daemon Crashes (PSN-2011-04-241)
• Junos PIM rpd DoS (PSN-2011-07-296)
• Junos ICMP Ping 'Composite Next-Hop' DoS (PSN-2011-07-297)
• Junos Fragmented ICMP Packets DoS (PSN-2011-07-298)
• Junos IPv6 Over IPv4 Security Policy Bypass (PSN-2011-07-299)
• Junos DHCP Relay Agent Traffic Redirection (PSN-2011-07-300)

You can enable these plugins by selecting the "Junos Local Security Checks" plugin family when creating policies in Nessus (or SecurityCenter) as shown below:

Plugin ID 55392, Junos Version Detection, was added to identify the operating system version of the device being scanned:

Plugin ID 55933, Unsupported Junos Operating System, was also developed to identify Junos installations using software no longer supported by Juniper Networks:

Below is an example of plugin ID 55935, Junos IPv6 over IPv4 Security Policy Bypass (PSN-2011-07-299), being triggered on a target system:

Conclusion

Keeping up with the latest patches on all your systems is no small task, especially when you include embedded systems such as routers, firewalls, and switches. Such devices are critical to your network operations, so a safe and efficient way to ensure their security is a welcome addition to your vulnerability management program. Local patch checking is a great way to ensure that all of the systems and devices in your enterprise are running the latest software in a safe and efficient manner.

Resources

• Junos Local Security Checks