Knowledge Search


×
 

2017-10 Security Bulletin: Junos Space: Authentication bypass vulnerability (CVE-2017-10622)

  [JSA10824] Show Article Properties


Product Affected:
This issue affects Juniper Networks Junos Space 17.1R1 without Patch-v1 and 16.1 releases prior to 16.1R3.
Problem:

An authentication bypass vulnerability in Juniper Networks Junos Space Network Management Platform may allow a remote unauthenticated network based attacker to login as any privileged user.

This issue only affects Junos Space Network Management Platform 17.1R1 without Patch v1 and 16.1 releases prior to 16.1R3.

This issue was found by an external security researcher.

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue has been assigned CVE-2017-10622.

Solution:

16.1 Releases: This issue is resolved by 16.1R3.

17.1 Releases: This issue is resolved by Junos Space Platform 17.1R1 Patch v1.

These available for download from https://www.juniper.net/support/downloads/space.html

Junos Space 17.2R1 (pending release), and all subsequent releases contain the fix.

This issue is being tracked as PR 1307262 and is visible on the Customer Support website.

Workaround:

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts.

Implementation:
Junos Space software, updates and patches are available for download from https://www.juniper.net/support/downloads/space.html
Modification History:
2017-10-11: Initial Publication.
Related Links:
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank Ilias Polychroniadis of NeuroSoft S.A. (Redyops Team).