Details of VAR-201710-0239

ID

VAR-201710-0239

CVE

CVE-2017-10606

TITLE

Juniper Networks TPM Cryptographic vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2017-009378

DESCRIPTION

Version 4.40 of the TPM (Trusted Platform Module) firmware on Juniper Networks SRX300 Series has a weakness in generating cryptographic keys that may allow an attacker to decrypt sensitive information in SRX300 Series products. The TPM is used in the SRX300 Series to encrypt sensitive configuration data. While other products also ship with a TPM, no other products or platforms are affected by this vulnerability. Customers can confirm the version of TPM firmware via the 'show security tpm status' command. This issue was discovered by an external security researcher. No other Juniper Networks products or platforms are affected by this issue. TrustedPlatformModule (TPM) is one of the test platform modules. An attacker could exploit the vulnerability to decrypt sensitive information

Trust: 2.25

sources: NVD: CVE-2017-10606 // JVNDB: JVNDB-2017-009378 // CNVD: CNVD-2017-32096 // VULHUB: VHN-100945

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2017-32096

AFFECTED PRODUCTS

vendor:	juniper	model:	trusted platform module	scope:	eq	version:	4.40	Trust: 2.4
vendor:	juniper	model:	networks srx300 series	scope:	eq	version:	4.40	Trust: 0.6

sources: CNVD: CNVD-2017-32096 // JVNDB: JVNDB-2017-009378 // CNNVD: CNNVD-201710-520 // NVD: CVE-2017-10606

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2017-10606
value:	MEDIUM
Trust: 1.0
sirt@juniper.net:	CVE-2017-10606
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2017-10606
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2017-32096
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201710-520
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-100945
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2017-10606
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2017-32096
severity:	MEDIUM
baseScore:	4.9
vectorString:	AV:L/AC:L/AU:N/C:C/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-100945
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2017-10606
baseSeverity:	MEDIUM
baseScore:	4.4
vectorString:	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	0.8
impactScore:	3.6
version:	3.0
Trust: 2.8

sources: CNVD: CNVD-2017-32096 // VULHUB: VHN-100945 // JVNDB: JVNDB-2017-009378 // CNNVD: CNNVD-201710-520 // NVD: CVE-2017-10606 // NVD: CVE-2017-10606

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-310	Trust: 0.9

sources: VULHUB: VHN-100945 // JVNDB: JVNDB-2017-009378 // NVD: CVE-2017-10606

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201710-520

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201710-520

CONFIGURATIONS

sources: JVNDB: JVNDB-2017-009378

PATCH

title:	JSA10809	url:	https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10809&actp=METADATA	Trust: 0.8
title:	Juniper SRX300SeriesTrustedPlatformModule Firmware Information Disclosure Vulnerability Patch	url:	https://www.cnvd.org.cn/patchInfo/show/104491	Trust: 0.6
title:	Juniper SRX300 Series Trusted Platform Module Fixes for firmware security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=75556	Trust: 0.6

sources: CNVD: CNVD-2017-32096 // JVNDB: JVNDB-2017-009378 // CNNVD: CNNVD-201710-520

EXTERNAL IDS

db:	NVD	id:	CVE-2017-10606	Trust: 3.1
db:	JUNIPER	id:	JSA10809	Trust: 2.3
db:	JVNDB	id:	JVNDB-2017-009378	Trust: 0.8
db:	CNNVD	id:	CNNVD-201710-520	Trust: 0.7
db:	CNVD	id:	CNVD-2017-32096	Trust: 0.6
db:	VULHUB	id:	VHN-100945	Trust: 0.1

sources: CNVD: CNVD-2017-32096 // VULHUB: VHN-100945 // JVNDB: JVNDB-2017-009378 // CNNVD: CNNVD-201710-520 // NVD: CVE-2017-10606

REFERENCES

url:	https://kb.juniper.net/jsa10809	Trust: 2.3
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-10606	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2017-10606	Trust: 0.8

sources: CNVD: CNVD-2017-32096 // VULHUB: VHN-100945 // JVNDB: JVNDB-2017-009378 // CNNVD: CNNVD-201710-520 // NVD: CVE-2017-10606

SOURCES

db:	CNVD	id:	CNVD-2017-32096
db:	VULHUB	id:	VHN-100945
db:	JVNDB	id:	JVNDB-2017-009378
db:	CNNVD	id:	CNNVD-201710-520
db:	NVD	id:	CVE-2017-10606

LAST UPDATE DATE

2024-08-14T15:34:34.311000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2017-32096	date:	2017-10-31T00:00:00
db:	VULHUB	id:	VHN-100945	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2017-009378	date:	2017-11-09T00:00:00
db:	CNNVD	id:	CNNVD-201710-520	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2017-10606	date:	2019-10-09T23:21:39.167

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2017-32096	date:	2017-10-31T00:00:00
db:	VULHUB	id:	VHN-100945	date:	2017-10-13T00:00:00
db:	JVNDB	id:	JVNDB-2017-009378	date:	2017-11-09T00:00:00
db:	CNNVD	id:	CNNVD-201710-520	date:	2017-10-18T00:00:00
db:	NVD	id:	CVE-2017-10606	date:	2017-10-13T17:29:00.457