Knowledge Search


×
 

2013-08 Security Bulletin: Security Threat Response Manager: Command injection vulnerability (CVE-2013-2970)

  [JSA10583] Show Article Properties


Product Affected:
STRM series devices and virtual machines with SRTM software releases: 2010.0, 2012.0, 2012.1, 2013.1.
Problem:
Security Threat Response Manager (STRM) software contains a command injection vulnerability that allows an authenticated user to execute operating system commands as a limited access webservices user on the STRM device. This access could be used to gain remote shell access as that webservices user. Even though authenticated users of the STRM device do not necessarily have shell access, action should be taken to patch this issue as soon as possible.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2013-2970.
Solution:
This issue is fixed in STRM 2013.2.R2 and later releases.

A patch is available for STRM software releases 2010.0, 2012.0, 2012.1 and 2013.1 from STRM download site http://www.juniper.net/support/downloads/group/?f=strm as Vulnerability CVE-2013-2970 patch script.
Workaround:
 There are no viable workarounds that can mitigate this vulnerability.
Implementation:
 
Related Links:
CVSS Score:
6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Risk Level:
High
Risk Assessment:
A network based (AV:N) authenticated user (Au:S) can easily (AC:L) execute shell commands which has partial impact on system's confidentiality (C:P), integrity (I:P) or availability (A:P)
Acknowledgements: