CVSS: 5.3EPSS: 1%CPEs: 152EXPL: 1CVE-2023-36847 – Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
https://notcve.org/view.php?id=CVE-2023-36847
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to installAppPackage.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on EX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S4; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S1; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3. "Una vulnerabilidad de falta de autenticación para funciones críticas en Juniper Networks Junos OS en la serie EX permite a un atacante no autenticado basado en red causar un impacto limitado en la integridad del sistema de archivos. Con una solicitud específica a installAppPackage.php que no requiere autenticación, un atacante puede cargar archivos arbitrarios a través de J-Web, lo que provoca una pérdida de integridad de una parte determinada del sistema de archivos, que puede permitir el encadenamiento con otras vulnerabilidades. Este problema afecta al sistema operativo Junos de Juniper Networks en la serie EX: * Todas las versiones anteriores a 20.4R3-S8; * 21.1: versiones 21.1R1 y posteriores; * 21.2: versiones anteriores a 21.2R3-S6; * 21.3: versiones anteriores a 21.3R3-S5; * 21.4: versiones anteriores a 21.4R3-S4; * 22.1: versiones anteriores a 22.1R3-S3; * 22.2: versiones anteriores a 22.2R3-S1; * 22.3: versiones anteriores a 22.3R2-S2, 22.3R3; * 22.4: versiones anteriores a 22.4R2-S1, 22.4R3." Juniper Junos OS on EX Series contains a missing authentication for critical function vulnerability that allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. • https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844?ref=labs.watchtowr.com https://supportportal.juniper.net/JSA72300 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 200EXPL: 0CVE-2022-22221 – Junos OS: SRX and EX Series: Local privilege escalation flaw in "download" functionality
https://notcve.org/view.php?id=CVE-2022-22221
An Improper Neutralization of Special Elements vulnerability in the download manager of Juniper Networks Junos OS on SRX Series and EX Series allows a locally authenticated attacker with low privileges to take full control over the device. One aspect of this vulnerability is that the attacker needs to be able to execute any of the "request ..." or "show system download ..." commands. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: All versions prior to 19.2R1-S9, 19.2R3-S5; 19.3 versions prior to 19.3R3-S6; 19.4 versions prior to 19.4R3-S8; 20.1 versions prior to 20.1R3-S4; 20.2 versions prior to 20.2R3-S4; 20.3 versions prior to 20.3R3-S3; 20.4 versions prior to 20.4R3-S2, 20.4R3-S3; 21.1 versions prior to 21.1R3-S1; 21.2 versions prior to 21.2R2-S2, 21.2R3; 21.3 versions prior to 21.3R2, 21.3R3; 21.4 versions prior to 21.4R1-S1, 21.4R2. Una vulnerabilidad de Neutralización Inapropiada de Elementos Especiales en el administrador de descargas del Sistema Operativo Junos de Juniper Networks en las series SRX y EX permite a un atacante autenticado localmente con bajos privilegios tomar el control total del dispositivo. Uno de los aspectos de esta vulnerabilidad es que el atacante debe ser capaz de ejecutar cualquiera de los comandos "request ..." o "show system download ...". • https://kb.juniper.net/JSA69725 •
CVSS: 6.5EPSS: 0%CPEs: 359EXPL: 0CVE-2021-0289 – Junos OS: User-defined ARP Policer isn't applied on Aggregated Ethernet (AE) interface until firewall process is restarted
https://notcve.org/view.php?id=CVE-2021-0289
When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive | match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. • https://kb.juniper.net/JSA11191 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 10.0EPSS: 0%CPEs: 336EXPL: 0CVE-2021-0211 – Junos OS and Junos OS Evolved: Upon receipt of a specific BGP FlowSpec message network traffic may be disrupted.
https://notcve.org/view.php?id=CVE-2021-0211
An improper check for unusual or exceptional conditions in Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon (RPD) service allows an attacker to send a valid BGP FlowSpec message thereby causing an unexpected change in the route advertisements within the BGP FlowSpec domain leading to disruptions in network traffic causing a Denial of Service (DoS) condition. Continued receipt of these update messages will cause a sustained Denial of Service condition. This issue affects Juniper Networks: Junos OS: All versions prior to 17.3R3-S10 with the exceptions of 15.1X49-D240 on SRX Series and 15.1R7-S8 on EX Series; 17.3 versions prior to 17.3R3-S10; 17.4 versions prior to 17.4R2-S12, 17.4R3-S4; 18.1 versions prior to 18.1R3-S12; 18.2 versions prior to 18.2R2-S8, 18.2R3-S6; 18.3 versions prior to 18.3R3-S4; 18.4 versions prior to 18.4R1-S8, 18.4R2-S6, 18.4R3-S6; 19.1 versions prior to 19.1R1-S6, 19.1R2-S2, 19.1R3-S3; 19.2 versions prior to 19.2R3-S1; 19.3 versions prior to 19.3R2-S5, 19.3R3-S1; 19.4 versions prior to 19.4R1-S3, 19.4R2-S3, 19.4R3; 20.1 versions prior to 20.1R2; 20.2 versions prior to 20.2R1-S3 20.2R2; 20.3 versions prior to 20.3R1-S1, 20.3R2. Junos OS Evolved: All versions prior to 20.3R1-S1-EVO, 20.3R2-EVO. Una comprobación inapropiada de condiciones inusuales o excepcionales en Juniper Networks. • https://kb.juniper.net/JSA11101 • CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 164EXPL: 0CVE-2019-0003 – Junos OS: A flowspec BGP update with a specific term-order causes routing protocol daemon (rpd) process to crash with a core.
https://notcve.org/view.php?id=CVE-2019-0003
When a specific BGP flowspec configuration is enabled and upon receipt of a specific matching BGP packet meeting a specific term in the flowspec configuration, a reachable assertion failure occurs, causing the routing protocol daemon (rpd) process to crash with a core file being generated. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D70 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1 versions prior to 15.1R3; 15.1F versions prior to 15.1F3; 15.1X49 versions prior to 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400. Cuando una configuración BGP flowspec específica está habilitada y se recibe un paquete BGP coincidente determinado que coincide con un término específico en la configuración de flowspec, ocurre un fallo de aserción alcanzable que provoca que el proceso rpd (routing protocol daemon) se cierre inesperadamente y se genere un archivo core. Las versiones afectadas son Juniper Networks Junos OS: 12.1X46 en versiones anteriores a la 12.1X46-D77 en la serie SRX; 12.3 en versiones anteriores a la 12.3R12-S10; 12.3X48 en versiones anteriores a la 12.3X48-D70 en la serie SRX; 14.1X53 en versiones anteriores a la 14.1X53-D47 en EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1 en versiones anteriores a la 15.1R3; 15.1F en versiones anteriores a la 15.1F3; 15.1X49 en versiones anteriores a la 15.1X49-D140 en la serie SRX y 15.1X53 en versiones anteriores a la 15.1X53-D59 en EX2300/EX3400. • http://www.securityfocus.com/bid/106544 https://kb.juniper.net/JSA10902 • CWE-617: Reachable Assertion •