CVE-2020-1620 in Junos
Summary
by MITRE
A local, authenticated user with shell can obtain the hashed values of login passwords via configd streamer log. This issue affects all versions of Junos OS Evolved prior to 19.3R1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/17/2024
The vulnerability described in CVE-2020-1620 represents a critical information disclosure flaw within Junos OS Evolved systems that affects all versions prior to 19.3R1. This issue manifests as a local privilege escalation vector where authenticated users with shell access can extract hashed password values from the configd streamer log files. The vulnerability stems from insufficient access controls and improper logging mechanisms that expose sensitive authentication data to unauthorized local users who possess shell privileges. The configd streamer component in Junos OS is responsible for managing configuration data and system logging, but in affected versions it fails to adequately protect sensitive password hash information from being accessible through log file enumeration.
The technical implementation of this vulnerability involves the exploitation of weak logging practices where password hash values are inadvertently written to system log files in a format that can be read by local users. This flaw operates at the system level and requires only local authentication and shell access to exploit, making it particularly dangerous in environments where local user accounts may be compromised or where privileged users have elevated access rights. The vulnerability aligns with CWE-200, which addresses the improper exposure of sensitive information, and represents a classic case of insufficient logging security controls that allow unauthorized information disclosure. Attackers can leverage this weakness to gain access to password hashes that can then be subjected to offline password cracking attacks, potentially leading to full system compromise.
The operational impact of this vulnerability extends beyond simple information disclosure as it provides attackers with the foundation for more sophisticated attacks including credential reuse, password spraying, and brute force attempts against the exposed hash values. In enterprise environments running affected Junos OS versions, this vulnerability could enable attackers who have already gained local shell access to escalate their privileges further by obtaining administrative credentials. The exposure of password hashes through system logs creates a significant risk for organizations that rely on Junos OS for network infrastructure management, as these credentials may be used to access network devices, management systems, and potentially other connected systems within the network perimeter. This vulnerability also maps to ATT&CK technique T1003.001 which covers OS credential dumping, specifically targeting credential access through system logs and configuration files.
Organizations affected by this vulnerability should immediately implement the remediation measures provided in Junos OS 19.3R1 and subsequent releases, which include enhanced logging controls and access restrictions for sensitive system components. The mitigation strategy should involve comprehensive system hardening, including regular patch deployment, implementation of proper log access controls, and monitoring for unauthorized log file access attempts. Network administrators should conduct immediate vulnerability assessments to identify systems running affected Junos OS versions and ensure proper access controls are in place to prevent unauthorized local users from accessing system logs. Additionally, implementing network segmentation and privilege least-privilege principles can help reduce the impact of this vulnerability by limiting the potential damage from local user compromise. The vulnerability demonstrates the critical importance of proper logging security practices and access controls in network infrastructure devices, where even seemingly innocuous system components can provide attackers with critical information for further exploitation.