Juniper has released an out-of-band security update for a Junos OS vulnerability CVE-2020-1631 in J-Web and web based (HTTP/HTTPS) services.
The issue could allow an attacker to “inject commands into the httpd.log, read files with ‘world’ readable file permission or obtain J-Web session tokens.”
Juniper summarized the issue in a security advisory 2020-04:
“A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal.”Juniper
In addition, Juniper said the most serious is the J-Web session token issue, which carries a high severity rating and CVSS score of 8.8. If J-Web is enabled on Juniper devices, an attacker could gain the same access level of any user logged in to the device. As a result, the actor could gain administrator privileges to J-Web.
The other two issues are rated moderate.
For Junos OS versions 19.3R1 and above, an unauthenticated attacker could take advantage of “world” readable permissions and read the configuration file.
For the command injection issue, a hacker could also inject commands into the httpd.log. However, the impact is more limited since the HTTP service runs as user ‘nobody’.
The security issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled.
Therefore, Junos OS devices with HTTP/HTTPS services disabled are not affected.
The following Junos OS versions are affected by the vulnerability:
- 15.1, 15.1X49
- 17.2, 17.3, 17.4
- 18.1, 18.2, 18.3, 18.4
- 19.1, 19.2, 19.3, 19.4
Network administrators should upgrade affected devices to the latest software versions as noted in the advisory.