Details of VAR-201804-0668

ID

VAR-201804-0668

CVE

CVE-2018-0021

TITLE

Juniper Networks Junos OS Vulnerabilities related to certificate and password management

Trust: 0.8

sources: JVNDB: JVNDB-2018-004216

DESCRIPTION

If all 64 digits of the connectivity association name (CKN) key or all 32 digits of the connectivity association key (CAK) key are not configured, all remaining digits will be auto-configured to 0. Hence, Juniper devices configured with short MacSec keys are at risk to an increased likelihood that an attacker will discover the secret passphrases configured for these keys through dictionary-based and brute-force-based attacks using spoofed packets. Affected releases are Juniper Networks Junos OS: 14.1 versions prior to 14.1R10, 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D100; 15.1X53 versions prior to 15.1X53-D59; 16.1 versions prior to 16.1R3-S8, 16.1R4-S8, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2; 17.1 versions prior to 17.1R2. Juniper Networks Junos OS Contains vulnerabilities related to certificate and password management.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Juniper Networks Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware equipment. The operating system provides a secure programming interface and Junos SDK. There is a trust management issue vulnerability in Juniper Networks Junos OS, which originates from the lack of an effective trust management mechanism in network systems or products. Attackers can use default passwords or hard-coded passwords, hard-coded certificates, etc. to attack affected components. The following releases are affected: Juniper Junos OS Release 14.1, Release 14.1X53, Release 15.1, Release 15.1X49, Release 15.1X53, Release 16.1, Release 16.2, Release 17.1

Trust: 1.8

sources: NVD: CVE-2018-0021 // JVNDB: JVNDB-2018-004216 // VULHUB: VHN-118223 // VULMON: CVE-2018-0021

AFFECTED PRODUCTS

vendor:	juniper	model:	junos	scope:	eq	version:	16.1	Trust: 1.6
vendor:	juniper	model:	junos	scope:	eq	version:	17.1	Trust: 1.6
vendor:	juniper	model:	junos	scope:	eq	version:	16.2	Trust: 1.6
vendor:	juniper	model:	junos	scope:	eq	version:	15.1	Trust: 1.6
vendor:	juniper	model:	junos	scope:	eq	version:	15.1x49	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	15.1x53	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	14.1	Trust: 1.0
vendor:	juniper	model:	junos	scope:	eq	version:	14.1x53	Trust: 1.0
vendor:	juniper	model:	junos os	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2018-004216 // CNNVD: CNNVD-201804-514 // NVD: CVE-2018-0021

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-0021
value:	HIGH
Trust: 1.0
sirt@juniper.net:	CVE-2018-0021
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-0021
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201804-514
value:	HIGH
Trust: 0.6
VULHUB:	VHN-118223
value:	LOW
Trust: 0.1
VULMON:	CVE-2018-0021
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2018-0021
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-118223
severity:	LOW
baseScore:	3.3
vectorString:	AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	6.5
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-0021
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
sirt@juniper.net:	CVE-2018-0021
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	6.0
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-118223 // VULMON: CVE-2018-0021 // JVNDB: JVNDB-2018-004216 // CNNVD: CNNVD-201804-514 // NVD: CVE-2018-0021 // NVD: CVE-2018-0021

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	CWE-255	Trust: 0.9

sources: VULHUB: VHN-118223 // JVNDB: JVNDB-2018-004216 // NVD: CVE-2018-0021

THREAT TYPE

remote or local

Trust: 0.6

sources: CNNVD: CNNVD-201804-514

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201804-514

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-004216

PATCH

title:	JSA10854	url:	https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10854&actp=METADATA	Trust: 0.8
title:	Juniper Junos OS Repair measures for trust management vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=83280	Trust: 0.6
title:	IBM: IBM Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities.	url:	https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=51bacdf57eb54cced0dc85be45cc09b0	Trust: 0.1

sources: VULMON: CVE-2018-0021 // JVNDB: JVNDB-2018-004216 // CNNVD: CNNVD-201804-514

EXTERNAL IDS

db:	NVD	id:	CVE-2018-0021	Trust: 2.6
db:	SECTRACK	id:	1040789	Trust: 1.8
db:	JUNIPER	id:	JSA10854	Trust: 1.8
db:	JVNDB	id:	JVNDB-2018-004216	Trust: 0.8
db:	CNNVD	id:	CNNVD-201804-514	Trust: 0.7
db:	AUSCERT	id:	ESB-2019.1121	Trust: 0.6
db:	VULHUB	id:	VHN-118223	Trust: 0.1
db:	VULMON	id:	CVE-2018-0021	Trust: 0.1

sources: VULHUB: VHN-118223 // VULMON: CVE-2018-0021 // JVNDB: JVNDB-2018-004216 // CNNVD: CNNVD-201804-514 // NVD: CVE-2018-0021

REFERENCES

url:	https://kb.juniper.net/jsa10854	Trust: 1.8
url:	http://www.securitytracker.com/id/1040789	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0021	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-0021	Trust: 0.8
url:	http://www.ibm.com/support/docview.wss	Trust: 0.6
url:	https://www.auscert.org.au/bulletins/78350	Trust: 0.6
url:	http://www.ibm.com/support/docview.wss?uid=ibm10794165	Trust: 0.6
url:	https://cwe.mitre.org/data/definitions/.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.ibm.com/blogs/psirt/ibm-security-bulletin-ibm-api-connect-is-impacted-by-multiple-open-source-software-vulnerabilities/	Trust: 0.1

sources: VULHUB: VHN-118223 // VULMON: CVE-2018-0021 // JVNDB: JVNDB-2018-004216 // CNNVD: CNNVD-201804-514 // NVD: CVE-2018-0021

SOURCES

db:	VULHUB	id:	VHN-118223
db:	VULMON	id:	CVE-2018-0021
db:	JVNDB	id:	JVNDB-2018-004216
db:	CNNVD	id:	CNNVD-201804-514
db:	NVD	id:	CVE-2018-0021

LAST UPDATE DATE

2024-11-23T21:20:20.073000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-118223	date:	2019-10-09T00:00:00
db:	VULMON	id:	CVE-2018-0021	date:	2019-10-09T00:00:00
db:	JVNDB	id:	JVNDB-2018-004216	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-514	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-0021	date:	2024-11-21T03:37:22.590

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-118223	date:	2018-04-11T00:00:00
db:	VULMON	id:	CVE-2018-0021	date:	2018-04-11T00:00:00
db:	JVNDB	id:	JVNDB-2018-004216	date:	2018-06-14T00:00:00
db:	CNNVD	id:	CNNVD-201804-514	date:	2018-04-11T00:00:00
db:	NVD	id:	CVE-2018-0021	date:	2018-04-11T19:29:00.587