Junos: Corrupt pam.conf file allows unauthenticated root access

Product Affected:

This issue can affect any product or platform running Junos OS.​​

 
Problem:

When the pam.conf file is corrupted in certain ways, it may allow connection to the device as the root user with no password. This "fail-open" behavior allows an attacker who can specifically modify the file to gain full access to the device.

Note that inadvertent manipulation of the pam.conf by an authorized administrator can also lead to unauthenticated root access to the device. Extreme care should be taken by administrators to avoid modifying pam.conf directly.

While the standalone vulnerability may not be directly exploitable, this issue increases the severity of other attacks that may be chained together to launch a multi-stage advanced attack against the device.

This issue is assigned ​CVE-2015-7751.

Solution:

The following software releases have been updated to resolve this specific issue: Junos OS 12.1X44-D50, 12.1X46-D35, 12.1X47-D25, 12.3R9, 12.3X48-D15, 13.2R7, 13.2X51-D35, 13.3R6, 14.1R5, 14.1X50-D105, 14.1X51-D70, 14.1X53-D25, 14.1X55-D20, 14.2R1, 15.1F2, 15.1R1, 15.1X49-D10, and all subsequent releases.​

This issue was found during internal product security testing.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue is being tracked as PR 965378 and is visible on the Customer Support website.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.​​

Workaround:
​Use access lists or firewall filters to limit CLI access to the router only from trusted hosts.

In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the router via SSH or telnet only from trusted, administrative networks or hosts.

VMware Tools unleashed

Prior to this change the ISO file that was downloaded with a new build would be placed on the local datastore of an ESXi host. When applying the VMware Tools to a virtual machine the ISO would be mounted form the local datastore and unmounted after the installation / update was done. Now that the VMware Tools aren’t included with the ESXi builds it is no longer possible to download them through Update Manager. You can now download them directly from the VMware site, but that still means you need to get the ISO ready for use.
Copying the ISO to every ESXi would be a time consuming task and luckily there is an alternative. It is possible to change the location where an ESXi host looks for the VMware Tools. On each host there is a location called the “ProductLocker”, which is a symbolic link that is created when booting a host. This link by default points to a directory on the local datastore. Fortunately for us the location that the symbolic link points to can be changed so that a shared datastore can be used.
First you would need to create a directory on one of your shared datastores like I have done in the screenshot below.

It doesn’t matter what name you give the directory as long as the sub folder has the name “vmtools“. In this folder you will place the new VMware Tools ISO file that you downloaded van the VMware site.
Next you will need to adjust the “UserVars.ProductLockerLocation” setting on each host (you could use host profiles to reduce the manual repetition). You can find this setting within the Advanced settings for the host using the vSphere (web) client. Change this setting so that it contains the path to the directory you created in the previous step. Make note that you do not enter the sub directory that is holding the actual ISO file. The host will automatically search the sub directory within the parent directory you entered.

Now that the configuration is changed we need to apply it. This can be done by either rebooting the host or manually by recreating the symbolic link. For the manual way you need to run commands from the ESXi shell. For ESXi 5.x or later you can use this command:
jumpstart –plugin=libconfigure-locker.so
or
rm /productLocker ln -s /vmfs/volumes/shared_datastore_name/vmware-tools /productLocker
After this you should be able to change to the productlocker directory and find the ISO file you placed on the datastore

No you can install or update the VMware Tools just like you would otherwise.

Open-VM-Tools
Furthermore VMware Tools for Linux (Open-VM-Tools or OVT for short) has been handed over to the Linux community enabeling the adoption of the tools in the Linux kernel main line. This means that customers don’t have to manage the lifecycle of the VMware Tools for certain Linux distributions anymore. Updating OVT will be done through the Linux update mechanic and you can no longer update them using vCenter.
For now the following distributions include OVT:

• Fedora 19 and later releases
• Debian 7.x and later releases
• openSUSE 11.x and later releases
• Recent Ubuntu releases (12.04 LTS, 13.10 and later)
• Red Hat Enterprise Linux 7.0 and later releases
• SUSE Linux Enterprise 12 and later releases
• CentOS 7 and later releases
• Oracle Linux 7 and later

Five Reasons Everyone Needs A Mentor

No matter what industry or role you’re in, or how long you’ve been there, a good mentor will guide you through pivotal career decisions, act as a neutral sounding board for ideas, and provide support during hard times. Though young people often seek out mentors in the early stages of their careers, more mid-level and seasoned professionals forgo mentorship. Here are five reasons everyone needs a mentor, no matter what stage of their career they’re at.
You’ll always have a go-to person to call
When you're making a tough decision, it can be difficult to know whose advice to ask. While family members or colleagues can provide valuable insights, having your one "go to" person in times of crisis can be valuable. It's comforting to know that when things get tough, you always know who to call.
Mentors provide an outside perspective
A mentor can also provide an outside perspective. When a problem hits close to home or may affect your colleagues or employees it can be difficult to find a neutral third party to listen and provide advice. A mentor won't have a stake in the issue you're trying to address and will be able to provide unbiased advice.
Mentors have the benefit of experience
Though your mentor may not have direct experience in your industry (though that's very helpful), a good mentor will have seen it all and can help you navigate through the type of tough life decisions everyone struggles with. Mentors have ideally encountered some of these challenges themselves and worked through them successfully.
A mentor will know you over time
As people increasingly switch jobs and even careers more frequently over time, having a mentor who has seen you in many roles can be enormously valuable. They can help put your hard decisions in context of your larger life and will provide the type of guidance one can only dispense by knowing someone over many years.
Mentors can bring new opportunities your way
Having someone who you respect and admire in an outside organization with different contacts can often lead to opportunities you may have not been aware of otherwise. Whether it's a new career or partnership opportunity, or a board position or speaking engagement, a mentor will help grow your network and propel your career forward.

Karl McDonnell

VMware vCenter Server 6.0 Update 1 Release Notes

• Customer Experience Improvement Program: The Customer Experience Improvement Program (CEIP) provides VMware with information that enables VMware to improve the VMware products and services and to fix problems. When you choose to participate in CEIP, VMware will collect technical information listed below about your use of the VMware products and services in CEIP reports on a regular basis. This information does not personally identify you. 
• Feature Enhancement: Suite UI is now enabled by default for the vSphere Web Client.
• Support for SSLv3: Support for SSLv3 has been disabled by default.
• vCSA Authentication for Active Directory: VMware vCenter Server Virtual Appliance (vCSA) has been modified to only support AES256-CTS/AES128-CTS/RC4-HMAC encryption for Kerberos authentication between vCSA and Active Directory.
• Hybrid Cloud Manager: Hybrid Cloud Manager has been updated for vSphere, and can be accessed directly from the home page of vSphere Web Client.
• FT-vSAN Interoperability: vSAN and FT work together.
• Appliance Management user interface: Appliance Management has a new user interface, written in HTML5.
• Platform Services Controller: The PSC has a new management interface, written in HTML5.
• Backup and Restore with external PSC: vCenter Server deployments with external PSC, also called MxN have support for backup and restore.
• Installation and Upgrade using HTML 5 installer: The following installation and upgrade scenarios are supported for vCenter Server using HTML 5 installer:
  • Installation using HTML 5 installer and target as vCenter Server is supported
  • Upgrade using HTML 5 installer and target as vCenter Server is not supported
  • Upgrade using command line and target as vCenter Server is supported

Integrated Management Controller (IMC) Supervisor and the UCS Director - Security Updates

Cisco has released security updates to address vulnerabilities in its Integrated Management Controller (IMC) Supervisor and the UCS Director (formally known as Cloupia Unified Infrastructure Controller). Exploitation of these vulnerabilities may allow a remote attacker to gain unauthorized access or cause a denial-of-service condition.

Lessons from a Life of Leadership

When I was 25 years old, the President of the company I had worked for after graduating from college asked me if I wanted to manage what was then a team of five sales reps in the copier business.  I didn’t have a clue as to what I was embarking upon and where it would lead me over the next 30 years.  I had no idea what the future would hold including what I would be expected to learn on my own and what it would mean to manage and lead others. 

Early on, like many new managers, I stumbled more times than I succeeded; however, thanks to a few patient bosses, informal mentors and many talented team members, I discovered how to thrive then flourish as a leader.  The lessons I learned along the way were less about myself and more about those who worked for the organizations I was fortunate to have led. 

I learned the drastic difference between what people need versus what people want.  Everyone needs to eat, sleep, be loved, make a living, etc.  Those are fundamental needs and extend beyond the workplace into our daily lives.

But learning what people want in their work made it clear how I needed to adapt as a leader.  So much is written about “what a leader should do” and “what a leader wants from their employees”, but discovering what your people seek actually provides a clear path to becoming a successful leader.  As leaders, we are at the bottom of the inverted triangle.  It is our job to build an environment that allows people to prosper.

• I want and value a personal connection with my boss
• I want to know what is expected of me and be held accountable (surprise!)
• I want my ideas to be respected and valued regardless of whether or not they are accepted
• I want to work hard (yes, I really do!) and be challenged intellectually
• I want to be trusted to do the right thing
• I want to be rewarded for my accomplishments, and not the hours I work
• I want to be appreciated and respected for my contributions (I do not need public recognition or awards)

A leader can impact each of the aforementioned items.  If we make sound hiring decisions and create an environment built around our team’s wants, then the expectations and financial goals of the organization are typically fulfilled. 

The only “golden rule” of leadership I cultivated overtime was to surround myself with the best people I could, be clear about what I expected, and then allow them to do their jobs with the least possible interference.  The rest of my approach as a leader was shaped by how those people around me wanted to be treated.

I have been extremely fortunate to have worked alongside many great team members in my leadership roles, and together we discovered what motivated people to excel and find satisfaction and happiness in their work.

Tom Kemp

SVP, Key Account Manager at Lee Hecht Harrison

Key Reasons behind Budget and Timeline Overages

Many ERP projects exceed budget and timeline expectations. Overages are due to a number of factors, including:

1.        Budgets and timeframes that do not take into account business process improvement, organizational change management, backfilling and resource allocation, and / or software customization.

Mitigation Step: Create a business case and devote adequate resources to ensure accurate project planning.

2.       Leadership teams that choose systems based on reputation or vendor sales pitches rather than systems that truly fit their “future state” requirements.

Mitigation Step: Leverage independent resources to conduct full requirements gathering, business process improvements and software evaluations and negotiations.

3.       Leadership teams that fail to anticipate the magnitude of the project and the impact it has on end-user productivity and / or morale both prior to and following software implementation.

Mitigation Step: Conduct executive alignment and education exercises; create a business case determining goals and measurement tools, and ensure strong organizational change management planning and execution.

4.       Non-customized training that is based solely on the technical aspects of the system and fails to train users on new processes.

Mitigation Step: Leverage third-party resources to customize training to each practice area and its processes.

5.       Lack of concerted communication to end-users about the reasons behind the implementation, the anticipated benefits stemming from successful adoption and the ways in which each individual end-user and executive will affect project success or failure.

Mitigation Step: Create and follow a comprehensive organizational change management plan.