Sign-up

ID

VAR-202010-0724


CVE

CVE-2020-1688


TITLE

Juniper Networks Junos OS  Vulnerability regarding lack of encryption of critical data in

Trust: 0.8

sources: JVNDB: JVNDB-2020-012138

DESCRIPTION

On Juniper Networks SRX Series and NFX Series, a local authenticated user with access to the shell may obtain the Web API service private key that is used to provide encrypted communication between the Juniper device and the authenticator services. Exploitation of this vulnerability may allow an attacker to decrypt the communications between the Juniper device and the authenticator service. This Web API service is used for authentication services such as the Juniper Identity Management Service, used to obtain user identity for Integrated User Firewall feature, or the integrated ClearPass authentication and enforcement feature. This issue affects Juniper Networks Junos OS on Networks SRX Series and NFX Series: 12.3X48 versions prior to 12.3X48-D105; 15.1X49 versions prior to 15.1X49-D190; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3; 18.1 versions prior to 18.1R3-S7; 18.2 versions prior to 18.2R3; 18.3 versions prior to 18.3R2-S4, 18.3R3; 18.4 versions prior to 18.4R1-S7, 18.4R2; 19.1 versions prior to 19.1R2; 19.2 versions prior to 19.2R1-S4, 19.2R2. Juniper Networks Junos OS There is a vulnerability in the lack of encryption of critical data.Information may be obtained. Junos OS SRX/NFX has security loopholes in the processing of Web API private keys. Remote attackers can use this loophole to submit special requests and increase privileges

Trust: 2.25

sources: NVD: CVE-2020-1688 // JVNDB: JVNDB-2020-012138 // CNVD: CNVD-2020-63945 // VULMON: CVE-2020-1688

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-63945

AFFECTED PRODUCTS

vendor:junipermodel:junosscope:eqversion:15.1x49

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.2

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:12.3x48

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.3

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:19.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:17.4

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:18.1

Trust: 1.0

vendor:junipermodel:junosscope:eqversion:16.1

Trust: 1.0

vendor:ジュニパーネットワークスmodel:junos osscope:eqversion: -

Trust: 0.8

vendor:ジュニパーネットワークスmodel:junos osscope: - version: -

Trust: 0.8

vendor:junipermodel:junos os srx/nfxscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2020-63945 // JVNDB: JVNDB-2020-012138 // NVD: CVE-2020-1688

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-1688
value: LOW

Trust: 1.0

sirt@juniper.net: CVE-2020-1688
value: MEDIUM

Trust: 1.0

NVD: CVE-2020-1688
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-63945
value: LOW

Trust: 0.6

CNNVD: CNNVD-202010-692
value: MEDIUM

Trust: 0.6

VULMON: CVE-2020-1688
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2020-1688
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2020-63945
severity: LOW
baseScore: 2.1
vectorString: AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sirt@juniper.net: CVE-2020-1688
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.0
impactScore: 4.0
version: 3.1

Trust: 1.0

OTHER: JVNDB-2020-012138
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-63945 // VULMON: CVE-2020-1688 // JVNDB: JVNDB-2020-012138 // CNNVD: CNNVD-202010-692 // NVD: CVE-2020-1688 // NVD: CVE-2020-1688

PROBLEMTYPE DATA

problemtype:CWE-359

Trust: 1.0

problemtype:CWE-522

Trust: 1.0

problemtype:CWE-320

Trust: 1.0

problemtype:NVD-CWE-noinfo

Trust: 1.0

problemtype:Lack of encryption of critical data (CWE-311) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2020-012138 // NVD: CVE-2020-1688

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-202010-692

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202010-692

PATCH

title:JSA11085url:https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/services-webapi-user-cli.html

Trust: 0.8

title:Patch for Junos OS SRX/NFX Elevation of Privilege Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/239890

Trust: 0.6

title:Juniper Networks Junos OS SRX/NFX Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=130760

Trust: 0.6

sources: CNVD: CNVD-2020-63945 // JVNDB: JVNDB-2020-012138 // CNNVD: CNNVD-202010-692

EXTERNAL IDS

db:NVDid:CVE-2020-1688

Trust: 3.1

db:JUNIPERid:JSA11085

Trust: 1.7

db:JVNDBid:JVNDB-2020-012138

Trust: 0.8

db:CNVDid:CNVD-2020-63945

Trust: 0.6

db:CNNVDid:CNNVD-202010-692

Trust: 0.6

db:VULMONid:CVE-2020-1688

Trust: 0.1

sources: CNVD: CNVD-2020-63945 // VULMON: CVE-2020-1688 // JVNDB: JVNDB-2020-012138 // CNNVD: CNNVD-202010-692 // NVD: CVE-2020-1688

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2020-1688

Trust: 2.0

url:https://kb.juniper.net/infocenter/index?page=content&id=kb30911

Trust: 1.7

url:https://www.juniper.net/documentation/en_us/junos/topics/topic-map/security-user-auth-intergrated-user-firewall-overview.html

Trust: 1.7

url:https://kb.juniper.net/jsa11085

Trust: 1.7

url:https://www.juniper.net/documentation/en_us/junos/topics/reference/configuration-statement/services-webapi-user-cli.html

Trust: 1.7

url:https://www.juniper.net/documentation/en_us/junos/topics/topic-map/security-user-auth-configure-jims.html

Trust: 1.7

url:https://vigilance.fr/vulnerability/junos-os-srx-nfx-privilege-escalation-via-web-api-private-key-33602

Trust: 0.6

url:https://vigilance.fr/vulnerability/junos-os-srx-nfx-privilege-escalation-via-web-api-private-key-33726

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/311.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2020-63945 // VULMON: CVE-2020-1688 // JVNDB: JVNDB-2020-012138 // CNNVD: CNNVD-202010-692 // NVD: CVE-2020-1688

SOURCES

db:CNVDid:CNVD-2020-63945
db:VULMONid:CVE-2020-1688
db:JVNDBid:JVNDB-2020-012138
db:CNNVDid:CNNVD-202010-692
db:NVDid:CVE-2020-1688

LAST UPDATE DATE

2024-11-23T22:58:08.138000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-63945date:2020-11-17T00:00:00
db:VULMONid:CVE-2020-1688date:2021-02-05T00:00:00
db:JVNDBid:JVNDB-2020-012138date:2021-04-26T07:28:00
db:CNNVDid:CNNVD-202010-692date:2022-01-04T00:00:00
db:NVDid:CVE-2020-1688date:2024-11-21T05:11:10.130

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-63945date:2020-11-15T00:00:00
db:VULMONid:CVE-2020-1688date:2020-10-16T00:00:00
db:JVNDBid:JVNDB-2020-012138date:2021-04-26T00:00:00
db:CNNVDid:CNNVD-202010-692date:2020-10-15T00:00:00
db:NVDid:CVE-2020-1688date:2020-10-16T21:15:14.410