Juniper Junos up to 16.0 Command Line Interface command injection
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.9 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Juniper Junos up to 16.0 (Router Operating System). This affects some unknown processing of the component Command Line Interface. The manipulation with an unknown input leads to a command injection vulnerability. CWE is classifying the issue as CWE-77. The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. This is going to have an impact on confidentiality, integrity, and availability.
The weakness was released 10/12/2016 as JSA10763 / 1027807 / 1117227 / 1061973 as confirmed knowledge base article (Website). The advisory is shared at kb.juniper.net. The public release was coordinated with Juniper. The knowledge base article contains:
These issues were found during internal product security testing.This vulnerability is uniquely identified as CVE-2016-4922 since 05/18/2016. The exploitability is told to be easy. An attack has to be approached locally. Required for exploitation is a authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1202 for this issue. The advisory points out:
Certain combinations of Junos OS CLI commands and arguments have been found to be exploitable in a way that can allow unauthorized access to the operating system. This may allow any user with permissions to run these CLI commands the ability to achieve elevated privileges and gain complete control of the device.
The vulnerability scanner Nessus provides a plugin with the ID 94331 (Juniper Junos IPv6 Packet Handling Remote DoS (JSA10762)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Junos Local Security Checks and running in the context c.
Upgrading to version 12.1X46-D60, 12.1X47-D45, 12.3R12, 12.3X48-D35, 13.2R9, 13.3R9, 14.1R7, 14.1X53-D40, 14.1X55-D35, 14.2R5, 15.1F4, 15.1R3, 15.1X49-D60, 15.1X53-D70 or 16.1R1 eliminates this vulnerability. A possible mitigation has been published immediately after the disclosure of the vulnerability. The knowledge base article contains the following remark:
Use access lists or firewall filters to limit access to the router's CLI only from trusted hosts. Restrict access to the CLI to only highly trusted administrators.
The vulnerability is also documented in the vulnerability database at Tenable (94331). Entry connected to this vulnerability is available at 92719.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 8.0VulDB Meta Temp Score: 7.9
VulDB Base Score: 7.8
VulDB Temp Score: 7.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.8
NVD Vector: 🔍
CNA Base Score: 8.4
CNA Vector (Juniper Networks, Inc.): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Command injectionCWE: CWE-77 / CWE-74 / CWE-707
CAPEC: 🔍
ATT&CK: 🔍
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 94331
Nessus Name: Juniper Junos IPv6 Packet Handling Remote DoS (JSA10762)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 802738
OpenVAS Name: Junos Multiple Privilege Escalation Vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Junos 12.1X46-D60/12.1X47-D45/12.3R12/12.3X48-D35/13.2R9/13.3R9/14.1R7/14.1X53-D40/14.1X55-D35/14.2R5/15.1F4/15.1R3/15.1X49-D60/15.1X53-D70/16.1R1
Timeline
05/18/2016 🔍10/12/2016 🔍
10/12/2016 🔍
10/12/2016 🔍
10/14/2016 🔍
10/15/2016 🔍
10/27/2016 🔍
10/13/2017 🔍
09/26/2022 🔍
Sources
Vendor: juniper.netAdvisory: JSA10763 / 1027807 / 1117227 / 1061973
Status: Confirmed
Confirmation: 🔍
Coordinated: 🔍
CVE: CVE-2016-4922 (🔍)
SecurityTracker: 1037013
SecurityFocus: 93534 - Juniper Junos CVE-2016-4922 Multiple Local Privilege Escalation Vulnerabilities
See also: 🔍
Entry
Created: 10/15/2016 13:12Updated: 09/26/2022 09:43
Changes: 10/15/2016 13:12 (74), 05/10/2019 18:02 (12), 09/26/2022 09:42 (3), 09/26/2022 09:43 (12)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.