CVE-2020-1622 in Junos
Summary
by MITRE
A local, authenticated user with shell can obtain the hashed values of login passwords and shared secrets via the EvoSharedObjStore. This issue affects all versions of Junos OS Evolved prior to 19.1R1.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/17/2024
This vulnerability resides in the Junos OS Evolved operating system, specifically within the EvoSharedObjStore component that manages shared objects and data structures. The flaw represents a critical information disclosure vulnerability that allows local authenticated users with shell access to extract hashed password values and shared secrets. The vulnerability exists due to inadequate access controls and insufficient sanitization of sensitive data within the shared object storage mechanism. Attackers who have already gained local shell access can exploit this weakness to escalate their information gathering capabilities and potentially obtain credentials that could be used for further exploitation or lateral movement within the network environment.
The technical implementation of this vulnerability stems from improper privilege separation and data exposure mechanisms within the EvoSharedObjStore. When authenticated users execute commands through the shell interface, the system fails to properly restrict access to sensitive hashed credentials stored in shared memory or object stores. This represents a classic case of insufficient authorization checks where the system does not properly validate whether the requesting user should have access to the specific hashed values they are attempting to retrieve. The vulnerability specifically affects versions prior to 19.1R1, indicating that this was a known issue that required a specific software update to remediate. The flaw aligns with CWE-284, which describes inadequate access control mechanisms, and demonstrates how insufficient privilege enforcement can lead to unauthorized information disclosure.
The operational impact of this vulnerability is significant for organizations running affected Junos OS Evolved versions, as it provides attackers with readily usable credential hashes that can be subjected to offline password cracking attacks. Once an attacker obtains these hashed values, they can potentially reverse-engineer the original passwords using various cracking techniques such as rainbow table attacks or brute force methods. The shared secrets extracted through this vulnerability could also compromise other systems or services that rely on these credentials for authentication. This vulnerability particularly affects network infrastructure devices where Junos OS Evolved is deployed, potentially allowing attackers to gain deeper access to network resources, manipulate device configurations, or establish persistent access points within the network environment. The impact is amplified because the vulnerability requires only local authenticated access, meaning that any user with legitimate shell access could exploit this flaw.
Organizations should immediately implement the remediation measures by upgrading to Junos OS Evolved version 19.1R1 or later, which contains the necessary patches to address the access control issues within the EvoSharedObjStore. Network administrators should also conduct thorough security audits to identify any unauthorized local access points and implement strict access control policies for shell interfaces. The mitigation strategy should include monitoring for suspicious activities related to shared object access and credential extraction attempts. Additionally, organizations should consider implementing network segmentation to limit the potential impact of local privilege escalation and ensure that only authorized personnel have legitimate shell access to critical network devices. This vulnerability demonstrates the importance of proper privilege separation and secure coding practices in network infrastructure software, aligning with ATT&CK technique T1078 for valid accounts and T1566 for credential access.