CVE-2020-1631 in Junos
Summary
by MITRE
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/18/2025
This vulnerability represents a critical local file inclusion and path traversal flaw within Juniper Networks Junos OS devices that operate HTTP/HTTPS services. The vulnerability exists in the web-based management interfaces including J-Web, Web Authentication, Dynamic-VPN, Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning components. The technical implementation allows unauthenticated attackers to manipulate file paths through HTTP requests, enabling them to access sensitive system files that have world-readable permissions. This vulnerability operates under CWE-22 which specifically addresses path traversal attacks and aligns with ATT&CK technique T1059.007 for command and scripting interpreter. The attack surface is particularly concerning because it affects multiple authentication and provisioning mechanisms within the Junos OS ecosystem, creating multiple potential entry points for malicious actors.
The operational impact varies significantly based on service configuration and system state. When HTTP/HTTPS services are enabled but J-Web is not actively in use, the vulnerability allows for high-severity information disclosure with a CVSS score of 5.9, enabling attackers to read configuration files that contain sensitive operational data. However, when J-Web is enabled, the attack surface expands dramatically with a CVSS score of 8.8, potentially allowing full administrative access to the device. This escalation occurs because attackers can obtain active J-Web session tokens, effectively gaining the same privileges as currently logged-in administrators. The execution context is limited since the HTTP service runs as the 'nobody' user, which restricts the potential for privilege escalation beyond information disclosure. The vulnerability affects a broad range of Junos OS versions, spanning from 12.3 through 20.1 releases, making it particularly widespread across enterprise network infrastructure. The CVSS scoring demonstrates the layered risk where the base attack vector is network-based with low complexity and no prerequisites, but the impact increases substantially when J-Web is enabled.
Mitigation strategies should begin with immediate assessment of affected devices through the process identification command show system processes | match http, which reveals the presence of httpd processes. The most effective immediate response is to disable HTTP/HTTPS services entirely on devices where they are not required, as this completely eliminates the attack vector. For environments where these services must remain enabled, administrators should implement network-level restrictions and monitoring of httpd.log files for suspicious patterns such as "=;&" or "%3b&" which indicate command injection attempts. The log analysis should include both current and rotated log files to account for attacker cleanup activities that may remove evidence from active logs. Security monitoring should be enhanced through regular log reviews and implementation of intrusion detection systems that can identify these specific attack signatures. Device administrators should also ensure all affected systems are updated to patched versions, as Juniper has released security advisories for all affected releases. The vulnerability's exploitation in the wild underscores the importance of proactive remediation, as attackers may already be actively targeting these systems. Organizations should implement comprehensive patch management processes and conduct regular vulnerability assessments to identify and remediate similar weaknesses in their Junos OS deployments. The attack patterns observed align with common web application exploitation techniques and should be monitored through security information and event management systems to detect potential compromise activities.