Knowledge Center Search


 

2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Linux Network Connect client local user privilege escalation issue (CVE-2014-2292)

  [JSA10616] Show KB Properties

  [JSA10616] Hide KB Properties

Categories:
Security Advisories ID: JSA10616
Last Updated: 12 Mar 2014
Version: 1.0

Product Affected:
This issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS 7.1, 7.3, 7.4, and 8.0.

Problem:
A privilege escalation issue has been found and corrected in the Linux Network Connect client. This issue could allow a non-root user to escalate their access to root privileges on a Network Connect end-user client system.

Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.

No other Juniper Networks products or platforms are affected by this issue.

This issue has been assigned CVE-2014-2292.

Solution:
The issue is fixed in SA/MAG (IVE OS) releases: 8.0r2, 7.4r8, 7.3r10, and 7.1r17, and all subsequent releases.

KB16765 - "In which releases are vulnerabilities fixed?" describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.

Workaround:
 There is no workaround for this issue. You must upgrade to a fixed version of the software for the fix.

Implementation:
 

Related Links:

CVSS Score:
6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)

Risk Level:
Medium

Acknowledgements:
 Juniper Networks would like to thank two reporters for independently discovering this issue and bringing it to our attention: Jörg Scheinert from Verizon GCIS Vulnerability Management for the discovery and Thierry Zoller for analysis and coordination, and also Joep Vesseur.

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.