CVE-2018-0052 in Junos
Summary
by MITRE
If RSH service is enabled on Junos OS and if the PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device. RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514. This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D75 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX Series; 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7; 16.2 versions prior to 16.2R2-S5; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.2X75 versions prior to 18.2X75-D5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/23/2023
This vulnerability represents a critical privilege escalation flaw in Juniper Networks Junos OS that exploits a combination of misconfigured services and undocumented administrative commands to grant unauthenticated remote root access. The issue specifically targets systems where the Remote Shell (RSH) service has been enabled through undocumented CLI mechanisms while disabling PAM authentication, creating a dangerous configuration that bypasses normal authentication controls. The vulnerability exists in a fundamental mismatch between documented security practices and actual system behavior, where legitimate administrative functionality can inadvertently expose systems to unauthorized access. When RSH is enabled, the device listens on UDP port 514, which is commonly used for syslog services, making it particularly dangerous as attackers can leverage this well-known port to exploit the vulnerability. This flaw directly violates security principle of least privilege and demonstrates how undocumented features can create unexpected attack vectors.
The technical exploitation of this vulnerability relies on the presence of an undocumented CLI command that allows privileged Junos users to enable the RSH service while simultaneously disabling PAM authentication. This combination creates an authentication bypass scenario where any remote attacker can establish a root shell without providing credentials, as the system accepts connections without verifying user identity. The vulnerability is particularly concerning because it requires no authentication to exploit, making it a classic example of a remote code execution vulnerability that can be leveraged by attackers from anywhere on the network. The attack surface is further expanded by the fact that this configuration can be enabled through legitimate administrative channels, meaning that even authorized users who are unaware of the security implications could inadvertently create this vulnerability. This scenario aligns with CWE-284 access control weaknesses and represents a significant deviation from expected security behavior where legitimate administrative functionality creates security holes.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise and potential network-wide damage. Once exploited, an attacker gains root access to the device and can manipulate network configurations, intercept traffic, modify routing tables, and potentially use the compromised device as a pivot point for attacks against other network segments. The vulnerability affects multiple Junos OS versions across various platform series including SRX, QFX, EX, and NFX series devices, indicating a widespread exposure across Juniper's product portfolio. Systems based on FreeBSD 10+ are not affected, suggesting that this vulnerability is tied to specific implementation details of older operating system versions. The affected platforms include enterprise-grade firewalls, switches, and routing equipment that form critical components of network infrastructure, making this vulnerability particularly dangerous for organizations relying on Juniper hardware for network security. This vulnerability maps directly to ATT&CK technique T1059 for remote code execution and T1068 for local privilege escalation, demonstrating how a single flaw can enable multiple attack vectors.
Mitigation strategies for this vulnerability require immediate administrative action to disable the RSH service and ensure PAM authentication remains enabled. Organizations should conduct comprehensive audits of their Junos OS configurations to identify any instances where undocumented CLI commands may have been used to enable RSH service. The recommended approach involves disabling the RSH service through proper CLI commands and ensuring that PAM authentication is enabled and properly configured for all authentication services. Regular security assessments should be conducted to identify and remediate similar undocumented features that may create security vulnerabilities. System administrators should also implement network segmentation and monitoring to detect unauthorized access attempts on port 514, which is the default listening port for the vulnerable RSH service. Additionally, organizations should ensure that their Junos OS versions are updated to patched releases that address this vulnerability and prevent the enabling of RSH service through undocumented commands. The vulnerability highlights the importance of maintaining up-to-date security patches and conducting thorough security reviews of all administrative features to prevent the introduction of unexpected attack vectors. This issue demonstrates the critical need for comprehensive security testing of administrative interfaces and the potential dangers of undocumented features that can be exploited by malicious actors.