Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Juniper Security Advisory: Junos MGD-CLI Inter-Process Communications May Allow Dangerous Commands

0

0

Article ID: JSA10494 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
PSN-2011-11-418
Product Affected:
This issue affects all devices running Junos.
Problem:

The management daemon (MGD) serves a central role in the user-interface component of JUNOS: it is the focal point for communication between external entities and internal processes and devices, managing set-up of the device when it is in configuration mode, and collecting and reporting status-related information when the device is in operational mode.

A flaw in the logical model governing inter-process communications between MGD and the command-line interpreter (CLI) process in JUNOS could allow arbitrary commands to be executed by the CLI which could completely compromise the security posture of the device. Local access to an authenticated, non-superuser account on the device is necessary to exploit the vulnerability. The issue can be mitigated completely by disabling "op-script" functionality as shown below. Communication and parsing of messages between the two processes has been improved in fixed versions of JUNOS to recognize potentially-damaging sequences of instructions and escape them, effectively "sandboxing" the dangerous instructions until their execution has been completed.

This is a "Day One" issue in the current JUNOS user-interface software, present in the first release of the current UI model, and thus it is present in all extant releases of Junos prior to the fixed releases listed in this document. This issue was discovered entirely internally to the UI development team within Juniper Networks. The Juniper Networks Security Incident Response Team is not aware of any external knowledge nor exploitation of this vulnerability.

Note: This advisory was updated 2011-12-21 to clarify that local, authenticated access was required for exploitation, and to add the workaround by disabling op-scripts.
Solution:

All Junos software releases built on or after 2011-03-21 have been fixed for this specific issue. Releases containing the fix specifically include 9.3S20, 10.0S13, 10.2R4, 10.3R4, 10.4R3, 11.1R1, 11.2R1, and all subsequent releases.

This issue is being tracked as PR 579645. Although this PR may not be viewable by customers, it can be used as a reference when discussing the issue with JTAC.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:


Disable "op-script" functionality by configuring [system scripts op no-allow-url].
Implementation:

How to obtain fixed software:

Security vulnerabilities in Junos are fixed in the next available Maintenance Release of each supported Junos version. In some cases, a Maintenance Release is not planned to be available in an appropriate time-frame. For these cases, Service Releases are made available in order to be more timely. Security Advisories and Security Notices will indicate which Maintenance and Service Releases contain fixes for the issues described. Upon request to JTAC, customers will be provided with instructions for downloading a Service Release. Although Juniper does not provide formal Release Note documentation for a Service Release, a list of "PRs fixed" can be provided upon request.
CVSS Score:
6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
Severity Level:
Medium
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories".

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search