Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Updated: 2020-04 Out of Cycle Security Advisory: Junos OS: Security vulnerability in J-Web and web based (HTTP/HTTPS) services (CVE-2020-1631)

0

0

Article ID: JSA11021 SECURITY_ADVISORIES Last Updated: 20 May 2020Version: 11.0
Product Affected:
This issue affects Junos OS 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 15.1X53, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1.
Problem:

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) which could be leveraged to perform Remote Code Execution (RCE) and take control of the device.

This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled.

Junos OS devices with HTTP/HTTPS services disabled are not affected.

If HTTP/HTTPS services are enabled, the following command will show the httpd processes:

user@device> show system processes | match http
5260 - S 0:00.13 /usr/sbin/httpd-gk -N
5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf


On April 27th 2020, Juniper SIRT had received a single report of this vulnerability being exploited in the wild, and out of an abundance of caution, notified customers with this out of cycle JSA so they could take appropriate actions.

On May 20th 2020, Juniper SIRT has confirmed that at least one additional attempt to exploit this vulnerability.

Juniper SIRT has determined that user interaction is not required to exploit this vulnerability, so we have changed the CVSS score from 8.8 to 9.8 and updated the details in this advisory.

Juniper Networks urges customers to upgrade to the fixed release as soon as possible or disable/limit the HTTP services until the device is upgraded to the fixed release. Please see the workaround section for more details.

This issue affects Juniper Networks Junos OS

  • 12.3 versions prior to 12.3R12-S16;
  • 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105;
  • 14.1X53 versions prior to 14.1X53-D54;
  • 15.1 versions prior to 15.1R7-S7;
  • 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220;
  • 15.1X53 versions prior to 15.1X53-D593;
  • 16.1 versions prior to 16.1R7-S8;
  • 17.2 versions prior to 17.2R3-S4;
  • 17.3 versions prior to 17.3R3-S8;
  • 17.4 versions prior to 17.4R2-S11, 17.4R3-S2;
  • 18.1 versions prior to 18.1R3-S10;
  • 18.2 versions prior to 18.2R2-S7, 18.2R3-S4;
  • 18.3 versions prior to 18.3R2-S4, 18.3R3-S2;
  • 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ;
  • 18.4 version 18.4R2 and later versions;
  • 19.1 versions prior to 19.1R1-S5, 19.1R3-S1;
  • 19.1 version 19.1R2 and later versions;
  • 19.2 versions prior to 19.2R2;
  • 19.3 versions prior to 19.3R2-S3, 19.3R3;
  • 19.4 versions prior to 19.4R1-S2, 19.4R2;
  • 20.1 versions prior to 20.1R1-S1, 20.1R2.


The following are examples of the config stanza affected by this issue:

[system services web-management http]
[system services web-management https]
[security dynamic-vpn]


Indicators of Compromise:

The /var/log/httpd.log may have indicators that commands have injected or files being accessed.

The device administrator can look for these indicators by searching for the string patterns "PATH_TRANSLATED|%50%41%54%48%5f%54%52%41%4e%53%4c%41%54%45%44|UEFUSF9UUkFOU0xBVEVE|504154485f5452414e534c41544544" in /var/log/httpd.log, using the following command:

user@device> show log httpd.log | match "PATH_TRANSLATED|%50%41%54%48%5f%54%52%41%4e%53%4c%41%54%45%44|UEFUSF9UUkFOU0xBVEVE|504154485f5452414e534c41544544"

If this command returns any output, it might be an indication of malicious attempts or simply scanning activities.

Rotated logs should also be reviewed, using the following command:

user@device> show log httpd.log.0.gz | match "PATH_TRANSLATED|%50%41%54%48%5f%54%52%41%4e%53%4c%41%54%45%44|UEFUSF9UUkFOU0xBVEVE|504154485f5452414e534c41544544"
user@device> show log httpd.log.1.gz | match "PATH_TRANSLATED|%50%41%54%48%5f%54%52%41%4e%53%4c%41%54%45%44|UEFUSF9UUkFOU0xBVEVE|504154485f5452414e534c41544544"

Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked.

This issue was discovered during an external security research.

This issue has been assigned CVE-2020-1631.
 

Solution:

The following software releases have been updated to resolve this specific issue: 12.3R12-S16, 12.3X48-D101, 12.3X48-D105, 14.1X53-D54, 15.1X49-D211, 15.1X49-D220, 15.1X53-D593, 15.1R7-S7, 16.1R7-S8, 17.2R3-S4, 17.4R2-S11, 17.3R3-S8, 17.4R3-S2, 18.1R3-S10, 18.2R2-S7, 18.2R3-S4, 18.3R2-S4, 18.3R3-S2, 18.4R1-S7, 18.4R3-S2, 19.1R1-S5, 19.1R3-S1, 19.2R2, 19.3R2-S3, 19.3R3, 19.4R1-S2, 19.4R2, 20.1R1-S1, 20.1R2 and all subsequent releases.

Note: At the time of this publication, the following fixed releases are available for customer download: 12.3X48-D101, 15.1X49-D211, 18.2R3-S4, 18.4R3-S2, and 20.1R1-S1, the remaining fixed releases will be available in future time.

12.3X48-D101 & 15.1X49-D211 releases can be downloaded from the below URLs:
(Note: the rest of the fixed releases can be downloaded from https://support.juniper.net/support/downloads/, some of the newer fixed releases might not be available for download yet)

12.3X48-D101 :
Branch SRX-Series Install Package (for SRX100H2, SRX110HE2, SRX210H2, SRX220H2, SRX240H2, SRX550, SRX650): junos-srxsme-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107438.html
MD5 = b822376f7a385e74499b186cf28c122b
SHA-1 = e6138e45bf9d29e962468e6e114e537142d4cc0d
SHA-256 = b21a9ae9f5d0b0ec25180682193faba7bf54e836fda0eb78babd3df843f90e6a

SRX 1000/3000-Series Install Package : junos-srx1k3k-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107436.html
MD5 = b93229ea43f66b539f22ecc5a9be0f07
SHA-1 = 2c625e9bc155b9fcb4c9a1a371bba473363ee6f0
SHA-256 = 982434f9cde9492e1d80d14c43a7cdcc5261db15a11f65fa7c9881a0fc0cd3db

SRX5000-Series Install Package: junos-srx5000-12.3X48-D101-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107437.html
MD5 = 7dc73801b7680fda42d453d6d3d6f10c
SHA-1 = 05f1eda5ec112c7e2afeebea4d47c007e0a8bd60
SHA-256 = 88d40e4b6b949a5c656c2b5fffa3adb41fe4943fb3e5d9cfaa439e603889e839

15.1X49-D211:
SRX300 & SRX500-Series Install Package: junos-srxsme-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107439.html
MD5 = dfd3428c7f83eb11142bbe32bac2a151
SHA-1 = a22f0ead795c8afb0a4d59d1b9b785c83801cd65
SHA-256 = dc42e24db0e2af7b2e6aaafdaa61f8e658fabc91c8a888efad586a5fbd2fa29a

SRX1500 Install Package: junos-srxentedge-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107442.html
MD5 = 348f2fcd96b31d51b9d71147d09fabd8
SHA-1 = cf8ee775ca1ca12706975fdd0748c1967732c2fe
SHA-256 = 62d460ea531161936f0ac75fa4501bc6cadb700388bdb93b7e706a09e985eff5

SRX4100 and SRX4200 Install Package: junos-srxmr-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107441.html
MD5 = 55b4c96b05b5fd9595a8ee071dbbf438
SHA-1 = ae6d7978964c3be6b632033b3616208e47653617
SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1

SRX5000 Series Install Package: junos-srx5000-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107440.html
MD5 = b918fa5a341815ccdb230560539e8725
SHA-1 = 38e912a55f1407e18e1bb8305f854fcd97c1adcb
SHA-256 = c1aaafdd9b23a525236c414e4cf213542246326317070b5e98ac5cccc5fa1e72

vSRX Upgrade TGZ: junos-vsrx-15.1X49-D211-domestic.tgz
https://webdownload.juniper.net/swdl/dl/secure/site/1/record/107452.html
MD5 = 55b4c96b05b5fd9595a8ee071dbbf438
SHA-1 = ae6d7978964c3be6b632033b3616208e47653617
SHA-256 = 20274c3b66d4b54471684a5f534abe0ba1d8bebabbb6f78f0028fcc275076df1

This issue is being tracked in PR 1499280.
 

Workaround:

There are no viable workarounds for this issue.

It is highly recommended to disable HTTP/HTTPS service and DVPN:

user@device# deactivate system services web-management
user@device# deactivate security dynamic-vpn (if DVPN is configured)
user@device# commit

or allowing HTTP service only on from trusted hosts or networks (refer to https://kb.juniper.net/KB21265 for details on how to limit HTTP service).
 

Implementation:
Software Releases, patches and updates are available at https://www.juniper.net/support/downloads/.
 
Modification History:
2020-04-27: Initial Publication
2020-04-28: Adding additional fixed releases
2020-05-04: Adding additional fixes & URL to Mitre
2020-05-12: Adding clarification about https://support.juniper.net/support/downloads/
2020-05-20: Additional indication of attempted exploitation observed. JSA description and CVSS score updated.
2020-05-20: Additional fix release added
2020-05-20: Added additional PATH_TRANSLATED|%50%41%54%48%5f%54%52%41%4e%53%4c%41%54%45%44|UEFUSF9UUkFOU0xBVEVE|504154485f5452414e534c41544544" detail for string comparison/match for IOC. 
CVSS Score:
9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
Critical
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
The Juniper SIRT would like to acknowledge and thank Liang Bian and Leishen Song (@rayh4c) of 360 ATA for reporting this issue.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search