Knowledge Search


×
 

2018-01 Security Bulletin: Junos: Unauthenticated Remote Code Execution through J-Web interface (CVE-2018-0001)

  [JSA10828] Show Article Properties


Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1, 14.1X53, 14.2, 15.1, 15.1X49, 15.1X53.
Problem:
A remote, unauthenticated attacker may be able to execute code by exploiting a use-after-free defect found in older versions of PHP through injection of crafted data via specific PHP URLs within the context of the J-Web process.

Affected releases are Juniper Networks Junos OS:
  • 12.1X46 versions prior to 12.1X46-D67;
  • 12.3 versions prior to 12.3R12-S5;
  • 12.3X48 versions prior to 12.3X48-D35;
  • 14.1 versions prior to 14.1R8-S5, 14.1R9;
  • 14.1X53 versions prior to 14.1X53-D44, 14.1X53-D50;
  • 14.2 versions prior to 14.2R7-S7, 14.2R8;
  • 15.1 versions prior to 15.1R3;
  • 15.1X49 versions prior to 15.1X49-D30;
  • 15.1X53 versions prior to 15.1X53-D70.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during an external security research.

This issue has been assigned CVE-2018-0001.
 
Solution:

The following software releases have been updated to resolve this specific issue: 12.1X46-D67, 12.3R12-S8*, 12.3X48-D55, 14.1R8-S5, 14.1R9, 14.1X53-D44, 14.1X53-D50, 14.2R7-S7, 14.2R8, 15.1F5-S8, 15.1F6-S8, 15.1R5-S6, 15.1R7, 15.1X49-D100, 15.1X53-D70, 16.1R4-S6, 16.1R5, 16.2R2-S2, 16.2R3, 17.1R2-S5*, 17.1R3*, 17.2R2, 17.3R1, and all subsequent releases.
*Pending release

Note: While Junos OS 12.3R12-S5, 12.3X48-D35, 15.1F2+, 15.1R3, 15.1X49-D30, and all subsequent releases are not vulnerable, this issue has been proactively resolved.

This issue is being tracked as PR 1269932 which is visible on the Customer Support website.

Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).
 

Workaround:
Disable J-Web, or limit access to only trusted hosts.
 
Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
 
Modification History:
2018-01-10: Initial publication

Related Links:
CVSS Score:
9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Risk Level:
Critical
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank Cure53 for responsibly reporting this vulnerability.