Sign-up

ID

VAR-202005-0617


CVE

CVE-2020-1631


TITLE

Juniper Networks Junos OS Past Traversal Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-005081

DESCRIPTION

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2. Juniper Networks Junos OS Exists in a past traversal vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. Juniper Networks Junos OS is a set of network operating system of Juniper Networks (Juniper Networks) dedicated to the company's hardware equipment. The operating system provides a secure programming interface and Junos SDK. The following products and versions are affected: Junos OS Release 12.3, Release 12.3X48, Release 14.1X53, Release 15.1, Release 15.1X49, Release 17.2, Release 17.3, Release 17.4, Release 18.1, Release 18.2, Release 18.3, Release 18.4, Release 19.1 , Version 19.2, Version 19.3, Version 19.4, Version 20.1

Trust: 1.8

sources: NVD: CVE-2020-1631 // JVNDB: JVNDB-2020-005081 // VULHUB: VHN-169375 // VULMON: CVE-2020-1631

AFFECTED PRODUCTS

vendor:junipermodel:junosscope:eqversion:17.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:14.1x53

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3x48

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:15.1x49

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:20.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.3

Trust: 1.0

vendor:junipermodel:junos osscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2020-005081 // NVD: CVE-2020-1631

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-1631
value: CRITICAL

Trust: 1.0

sirt@juniper.net: CVE-2020-1631
value: HIGH

Trust: 1.0

NVD: JVNDB-2020-005081
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202004-2291
value: CRITICAL

Trust: 0.6

VULHUB: VHN-169375
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-1631
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-1631
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-005081
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-169375
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-1631
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

sirt@juniper.net: CVE-2020-1631
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: JVNDB-2020-005081
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-169375 // VULMON: CVE-2020-1631 // JVNDB: JVNDB-2020-005081 // CNNVD: CNNVD-202004-2291 // NVD: CVE-2020-1631 // NVD: CVE-2020-1631

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

problemtype:CWE-73

Trust: 1.0

sources: VULHUB: VHN-169375 // JVNDB: JVNDB-2020-005081 // NVD: CVE-2020-1631

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202004-2291

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202004-2291

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-005081

PATCH
title:JSA11021url:https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021&actp=METADATA
Trust: 0.8
title:Juniper Networks Junos OS Repair measures for path traversal vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=118092
Trust: 0.6
title: - url:https://github.com/Live-Hack-CVE/CVE-2020-1631 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-1631 // 
            
            
            
            JVNDB: JVNDB-2020-005081 // 
            
            
            
            CNNVD: CNNVD-202004-2291

EXTERNAL IDS
db:NVDid:CVE-2020-1631
Trust: 2.6
db:JUNIPERid:JSA11021
Trust: 1.8
db:JVNDBid:JVNDB-2020-005081
Trust: 0.8
db:CNNVDid:CNNVD-202004-2291
Trust: 0.7
db:NSFOCUSid:46579
Trust: 0.6
db:AUSCERTid:ESB-2020.1456
Trust: 0.6
db:SEEBUGid:SSVID-98221
Trust: 0.1
db:CNVDid:CNVD-2020-27195
Trust: 0.1
db:VULHUBid:VHN-169375
Trust: 0.1
db:VULMONid:CVE-2020-1631
Trust: 0.1
sources:
            
            
            VULHUB: VHN-169375 // 
            
            
            
            VULMON: CVE-2020-1631 // 
            
            
            
            JVNDB: JVNDB-2020-005081 // 
            
            
            
            CNNVD: CNNVD-202004-2291 // 
            
            
            
            NVD: CVE-2020-1631

REFERENCES
url:https://kb.juniper.net/jsa11021
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-1631
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1631
Trust: 0.8
url:https://www.auscert.org.au/bulletins/esb-2020.1456/
Trust: 0.6
url:http://www.nsfocus.net/vulndb/46579
Trust: 0.6
url:https://vigilance.fr/vulnerability/juniper-junos-j-web-directory-traversal-32111
Trust: 0.6
url:https://cwe.mitre.org/data/definitions/22.html
Trust: 0.1
url:https://github.com/live-hack-cve/cve-2020-1631
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-169375 // 
            
            
            
            VULMON: CVE-2020-1631 // 
            
            
            
            JVNDB: JVNDB-2020-005081 // 
            
            
            
            CNNVD: CNNVD-202004-2291 // 
            
            
            
            NVD: CVE-2020-1631

SOURCES
db:VULHUBid:VHN-169375
db:VULMONid:CVE-2020-1631
db:JVNDBid:JVNDB-2020-005081
db:CNNVDid:CNNVD-202004-2291
db:NVDid:CVE-2020-1631

LAST UPDATE DATE
2024-08-14T15:22:41.736000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-169375date:2023-01-11T00:00:00
db:VULMONid:CVE-2020-1631date:2023-01-11T00:00:00
db:JVNDBid:JVNDB-2020-005081date:2020-06-05T00:00:00
db:CNNVDid:CNNVD-202004-2291date:2020-05-09T00:00:00
db:NVDid:CVE-2020-1631date:2023-01-11T17:19:03.343

SOURCES RELEASE DATE
db:VULHUBid:VHN-169375date:2020-05-04T00:00:00
db:VULMONid:CVE-2020-1631date:2020-05-04T00:00:00
db:JVNDBid:JVNDB-2020-005081date:2020-06-05T00:00:00
db:CNNVDid:CNNVD-202004-2291date:2020-04-28T00:00:00
db:NVDid:CVE-2020-1631date:2020-05-04T10:15:10.890