This issue affects Junos OS 15.1, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3. This issue affects Junos OS Evolved.
A device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process configured relay mode is vulnerable to multiple vulnerabilities which allow an attacker to send crafted packets who may the arbitrarily execute commands as root on the target device, or who may take over the code execution of the JDHDCP process.
These issues affect IPv4 and IPv6 JDHCPD services.
These issues affect:
Juniper Networks Junos OS:
15.1 versions prior to 15.1R7-S6;
15.1X49 versions prior to 15.1X49-D200;
15.1X53 versions prior to 15.1X53-D592;
16.1 versions prior to 16.1R7-S6;
16.2 versions prior to 16.2R2-S11;
17.1 versions prior to 17.1R2-S11, 17.1R3-S1;
17.2 versions prior to 17.2R2-S8, 17.2R3-S3;
17.3 versions prior to 17.3R3-S6;
17.4 versions prior to 17.4R2-S7, 17.4R3;
18.1 versions prior to 18.1R3-S8;
18.2 versions prior to 18.2R3-S2;
18.2X75 versions prior to 18.2X75-D60;
18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3;
18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3;
19.1 versions prior to 19.1R1-S3, 19.1R2;
19.2 versions prior to 19.2R1-S3, 19.2R2*.
and
All versions prior to 19.3R1 on Junos OS Evolved.
These issues do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode.
The following minimal configuration is required:
[forwarding-options dhcp-relay]
Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.
These issues were discovered during an external security research.
These issues include:
| CVE |
CVSS |
Summary |
| CVE-2020-1602 |
7.1 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) |
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv4 packets who may remotely take over the code execution of the JDHDCP process. This issue affect IPv4 JDHCPD services. |
| CVE-2020-1605 |
8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv4 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv4 JDHCPD services. |
| CVE-2020-1609 |
8.8 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv6 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv6 JDHCPD services. |
The following software releases have been updated to resolve these specific issues:
Junos OS: 15.1R7-S6, 15.1X49-D200, 15.1X53-D592, 16.1R7-S6, 16.2R2-S11, 17.1R2-S11, 17.1R3-S1, 17.2R2-S8, 17.2R3-S3, 17.3R3-S6, 17.4R2-S7, 17.4R3, 18.1R3-S8, 18.2R3-S2, 18.2X75-D60, 18.3R1-S6, 18.3R2-S2, 18.3R3, 18.4R1-S5, 18.4R2-S3, 18.4R3, 19.1R1-S3, 19.1R2, 19.2R1-S3, 19.2R2*, 19.3R1, and all subsequent releases.
Junos OS Evolved: 19.3R1, and all subsequent releases.
*pending publication
These issues are being tracked as 1449353.
If JDHCPD is not needed then disable the service in the device configuration.
There are no other viable workarounds for this issue.
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."