Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

2021-10 Security Bulletin: Junos OS and Junos OS Evolved: Local Privilege Escalation and Denial of Service

0

0

Article ID: JSA11222 SECURITY_ADVISORIES Last Updated: 27 Oct 2021Version: 3.0
Product Affected:
These issues affect all versions of Junos OS. These issues affect all versions of Junos OS Evolved.
Problem:

A local privilege escalation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to cause the Juniper DHCP daemon (jdhcpd) process to crash, resulting in a Denial of Service (DoS), or execute arbitrary commands as root. Continued processing of malicious user-controlled input will repeatedly crash the system and sustain the Denial of Service (DoS) condition.

A second improper privilege management vulnerability in the Juniper Networks Junos OS and Junos OS Evolved command-line interpreter (CLI) was also discovered, allowing a low-privileged user to overwrite local files as root, possibly leading to a system integrity issue or additional Denial of Service (DoS). Depending on the files overwritten, exploitation of this vulnerability could lead to a sustained Denial of Service (DoS) condition, requiring manual user intervention to recover.

Systems are only vulnerable if jdhcpd is running, which can be confirmed via the 'show system processes' command. For example:

root@host# run show system processes extensive | match dhcp
26537 root -16 0 97568K 13692K RUN 0 0:01 3.71% jdhcpd


These issues affect:

Juniper Networks Junos OS:

  • All versions, including the following supported releases:
    • 15.1 versions prior to 15.1R7-S10;
    • 17.4 versions prior to 17.4R3-S5;
    • 18.3 versions prior to 18.3R3-S5;
    • 18.4 versions prior to 18.4R3-S9;
    • 19.1 versions prior to 19.1R3-S6;
    • 19.2 versions prior to 19.2R1-S7, 19.2R3-S3;
    • 19.3 versions prior to 19.3R2-S6, 19.3R3-S3;
    • 19.4 versions prior to 19.4R3-S6;
    • 20.1 versions prior to 20.1R2-S2, 20.1R3-S1;
    • 20.2 versions prior to 20.2R3-S2;
    • 20.3 versions prior to 20.3R3;
    • 20.4 versions prior to 20.4R2-S1, 20.4R3;
    • 21.1 versions prior to 21.1R1-S1, 21.1R2.

Juniper Networks Junos OS Evolved:

  • All versions prior to 20.4R2-S3-EVO;
  • All versions of 21.1-EVO.


There are several configuration options that enable DHCP service. For example:

[edit interfaces ... family inet dhcp]
[edit system processes dhcp-service]
[edit forwarding-options dhcp-relay]

Juniper SIRT is not aware of any malicious exploitation of this vulnerability.

This issue was discovered during external security research.

The following issues have been reported by the security researcher, and resolved in the releases listed:

CVE CVSS Summary
CVE-2021-31359 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) A local privilege escalation vulnerability in Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged user to cause the Juniper DHCP daemon (jdhcpd) process to crash, resulting in a Denial of Service (DoS), or execute arbitrary commands as root. Continued processing of malicious input will repeatedly crash the system and sustain the Denial of Service (DoS) condition.
CVE-2021-31360 7.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) An improper privilege management vulnerability in the Juniper Networks Junos OS and Junos OS Evolved command-line interpreter (CLI) allows a low-privileged user to overwrite local files as root, possibly leading to a system integrity issue or Denial of Service (DoS). Depending on the files overwritten, exploitation of this vulnerability could lead to a sustained Denial of Service (DoS) condition, requiring manual user intervention to recover.
Solution:

The following software releases have been updated to resolve this specific issue:

Junos OS 15.1R7-S10, 17.4R3-S5, 18.3R3-S5, 18.4R3-S9, 19.1R3-S6, 19.2R1-S7, 19.2R3-S3, 19.3R2-S6, 19.3R3-S3, 19.4R3-S6, 20.1R2-S2, 20.1R3-S1, 20.2R3-S2, 20.3R3, 20.4R2-S1, 20.4R3, 21.1R1-S1, 21.1R2, 21.1R3, 21.2R1, and all subsequent releases.

Junos OS Evolved 20.4R2-S3-EVO, 21.2R1-EVO, and all subsequent releases.

This issue is being tracked as 1568654.
 

Workaround:
Use access lists or firewall filters to limit access to the device via CLI only from trusted hosts and from trusted administrators.

 
Implementation:
Software releases or updates are available for download at https://support.juniper.net/support/downloads/
 
Modification History:
2021-10-13: Initial Publication.
2021-10-27: Added details on how to confirm whether jdhcpd is running.


CVSS Score:
7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Severity Level:
High
Severity Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements:
Juniper SIRT would like to acknowledge and thank Wenxu Yin (@awxylitol) of Alpha Lab, Qihoo 360 Technology Co. Ltd., for responsibly reporting this vulnerability.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search