This issue affects Junos OS 12.3X48, 15.1X49, 17.3, 17.4, 18.1, 18.2. Affected platforms: SRX Series.
A vulnerability in the SRX Series Service Gateway allows deleted dynamic VPN users to establish dynamic VPN connections until the device is rebooted. A deleted dynamic VPN connection should be immediately disallowed from establishing new VPN connections. Due to an error in token caching, deleted users are allowed to connect once a previously successful dynamic VPN connection has been established. A reboot is required to clear the cached authentication token.
Affected releases are Junos OS on SRX Series:
- 12.3X48 versions prior to 12.3X48-D75;
- 15.1X49 versions prior to 15.1X49-D150;
- 17.3 versions prior to 17.3R3;
- 17.4 versions prior to 17.4R2;
- 18.1 versions prior to 18.1R3;
- 18.2 versions prior to 18.2R2.
Sample configuration:
user@host# show security dynamic-vpn
access-profile dyn-vpn-access-profile;
clients {
grp {
user {
client1;
}
}
}
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
This issue was seen during production usage.
This issue has been assigned CVE-2019-0015.
The following software releases have been updated to resolve this specific issue: Junos OS 12.3X48-D75, 15.1X49-D150, 17.3R3, 17.4R2, 18.1R3, 18.2R2, 18.3R1, and all subsequent releases.
This issue is being tracked as PR 1360111 and 1350867 which are visible on the Customer Support website.
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL).
Software Releases, patches and updates are available at
https://www.juniper.net/support/downloads/.
2019-01-09: Initial publication
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."