Knowledge Search


Minor security vulnerability in Software Packages system

  [JSA10298] Show Article Properties

Legacy Advisory Id:
Product Affected:
All versions of JUNOS Internet software released prior to January 9, 2002.
A security-related vulnerability was recently discovered in the Software Packages system included in the JUNOS software. This vulnerability, described in detail in the FreeBSD Security Advisory FreeBSD-SA-02:01.pkg_add and in PR/20778, could permit a user who was already logged in to a Juniper Networks router to interfere with the installation of JUNOS software updates, possibly compromising the newly installed software.
The Software Packages system was updated to deny access by other users to the temporary directory used for package installation.
The fix is included in all versions of JUNOS software released on or after January 10, 2002. Releases 5.0R4, 5.1R3, and 5.2R1 all contain the fix.
Related Links:
Severity Level:
Severity Assessment:
There is minimal risk associated with this vulnerability. To exploit the vulnerability, a user would need to be logged in while a software package installation was being performed, locate the temporary installation directory, examine its contents, identify world-writeable components of the software package being installed, and overwrite selected components prior to completion of the software package installation.

This vulnerability cannot be exploited remotely.