CVE-2015-5361

Junos: FTPS through SRX opens up wide range of data channel TCP ports

Description

Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. Issue The ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.​ Note that the ftps-extensions option is not enabled by default.

Remediation

Solution:

  • The overall behavior of the FTP ALG with the ftps-extensions option is intended behavior and will not change. The key component to this advisory is increasing user awareness of the wide TCP data channel (gate) creation, allowing creation of any new sessions from client to server, and potential implications where the SRX protects the FTPS server and the server/load-balancer allows the control channel to remain open for an extended period. Investigation into the issue identified two issues applicable to environments where the SRX protects both FTPS clients and servers, as well as uses FTP and FTPS over the same TCP ports to different servers. ​Due to the recent changes of OpenSSL, the FTP ALG without the ftps-extensions option may block FTPS commands over the FTP control channel. This is client and server specific, and was observed with FTPS clients that use recent versions of OpenSSL. This may result in security administrators enabling the ftps-extensions option with the intent of allowing the commands to pass, but inadvertently allowing wide gate creation. This was observed in a configuration with simultaneous FTPS client/server use, with use of the same ports for FTP and FTPS traffic. The ftps-extension option is not supported when the SRX performs a destination NAT of the FTPS server, as the ALG cannot inspect the control channel to modify the server’s IP address signaled to the client. In an environment of simultaneous FTP and FTPS server use with the ftps-extensions option enabled, the gate is created but is generally unusable by the FTPS client. However, an FTPS client with knowledge of the server’s real IP address, its NAT’d IP address, and routing reachability to the server’s real IP address may be able to use the wide gate to reach the FTPS server. The software releases listed below resolves these issues as follows: The FTP ALG without the ftps-extensions option will allow FTPS related commands to pass over the FTP control channel. As the ftps-extension option is not enabled, the wide TCP data channel is not created. If the FTPS server is NAT’d by the SRX (destination or static NAT), the wide TCP data channel is not created.
  • The following software releases have been updated to resolve these specific issues: Junos OS 12.1X44-D55, 12.1X46-D40, 12.1X47-D25, 12.3X48-D15, 15.1X49-D10, and all subsequent releases.

Workaround:

  • Do not enable the 'ftps-extensions' option if FTPS is not needed.​ The 'ftps-extensions' option is disabled by default.​

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.15%
Vendor Advisory juniper.net
Affected: n/a n/a
Published at:
Updated at:

References

Link Tags
https://kb.juniper.net/JSA10706 vendor advisory

Frequently Asked Questions

What is the severity of CVE-2015-5361?
CVE-2015-5361 has been scored as a medium severity vulnerability.
How to fix CVE-2015-5361?
To fix CVE-2015-5361: The overall behavior of the FTP ALG with the ftps-extensions option is intended behavior and will not change. The key component to this advisory is increasing user awareness of the wide TCP data channel (gate) creation, allowing creation of any new sessions from client to server, and potential implications where the SRX protects the FTPS server and the server/load-balancer allows the control channel to remain open for an extended period. Investigation into the issue identified two issues applicable to environments where the SRX protects both FTPS clients and servers, as well as uses FTP and FTPS over the same TCP ports to different servers. ​Due to the recent changes of OpenSSL, the FTP ALG without the ftps-extensions option may block FTPS commands over the FTP control channel. This is client and server specific, and was observed with FTPS clients that use recent versions of OpenSSL. This may result in security administrators enabling the ftps-extensions option with the intent of allowing the commands to pass, but inadvertently allowing wide gate creation. This was observed in a configuration with simultaneous FTPS client/server use, with use of the same ports for FTP and FTPS traffic. The ftps-extension option is not supported when the SRX performs a destination NAT of the FTPS server, as the ALG cannot inspect the control channel to modify the server’s IP address signaled to the client. In an environment of simultaneous FTP and FTPS server use with the ftps-extensions option enabled, the gate is created but is generally unusable by the FTPS client. However, an FTPS client with knowledge of the server’s real IP address, its NAT’d IP address, and routing reachability to the server’s real IP address may be able to use the wide gate to reach the FTPS server. The software releases listed below resolves these issues as follows: The FTP ALG without the ftps-extensions option will allow FTPS related commands to pass over the FTP control channel. As the ftps-extension option is not enabled, the wide TCP data channel is not created. If the FTPS server is NAT’d by the SRX (destination or static NAT), the wide TCP data channel is not created.
Is CVE-2015-5361 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2015-5361 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.