Knowledge Search


×
 

Minor security vulnerability in Software Packages system

  [JSA10298] Show Article Properties


Legacy Advisory Id:
FA-SW-0203-009
Product Affected:
All versions of JUNOS Internet software released prior to January 9, 2002.
Problem:
A security-related vulnerability was recently discovered in the Software Packages system included in the JUNOS software. This vulnerability, described in detail in the FreeBSD Security Advisory FreeBSD-SA-02:01.pkg_add and in PR/20778, could permit a user who was already logged in to a Juniper Networks router to interfere with the installation of JUNOS software updates, possibly compromising the newly installed software.
Solution:
The Software Packages system was updated to deny access by other users to the temporary directory used for package installation.
Implementation:
The fix is included in all versions of JUNOS software released on or after January 10, 2002. Releases 5.0R4, 5.1R3, and 5.2R1 all contain the fix.
Related Links:
Severity Level:
Low
Severity Assessment:
There is minimal risk associated with this vulnerability. To exploit the vulnerability, a user would need to be logged in while a software package installation was being performed, locate the temporary installation directory, examine its contents, identify world-writeable components of the software package being installed, and overwrite selected components prior to completion of the software package installation.

This vulnerability cannot be exploited remotely.