CVE-2018-0057

Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address)

Severity Score

9.6

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile. In the problem scenario, with a hardware-address and IP address configured under address-assignment pool, if a subscriber logging in with DHCP Option 50, the subscriber will not be assigned an available address from the matched pool, but will still get the requested IP address. A malicious DHCP subscriber may be able to utilize this vulnerability to create duplicate IP address assignments, leading to a denial of service for valid subscribers or unauthorized information disclosure via IP address assignment spoofing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S2, 15.1R8; 16.1 versions prior to 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3.

En las plataformas MX Series y M120/M320 configuradas en un entorno Broadband Edge (BBE), los suscriptores que inician sesión con DHCP Option 50 para solicitar una dirección IP específica tendrán asignada la dirección IP que soliciten, incluso aunque haya un enlace de MAC estática a dirección IP en el perfil de acceso. En el escenario de problemas, con una dirección de hardware y una dirección IP configurada bajo el grupo address-assignment, si un suscriptor inicia sesión con DHCP Option 50, éste no recibirá una dirección disponible del grupo de coincidencias, pero seguirá recibiendo la dirección IP solicitada. Un suscriptor DHCP malicioso podría ser capaz de emplear esta vulnerabilidad para crear asignaciones de direcciones IP duplicadas, lo que conduce a una denegación de servicio (DoS) para los suscriptores válidos o la divulgación de información no autorizada mediante la suplantación de asignaciones de direcciones IP. Las versiones afectadas de Juniper Networks Junos OS son: 15.1 en versiones anteriores a la 15.1R7-S2, 15.1R8; 16.1 en versiones anteriores a la 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 en versiones anteriores a la 16.2R2-S7, 16.2R3; 17.1 en versiones anteriores a la 17.1R2-S9, 17.1R3; 17.2 en versiones anteriores a la 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 en versiones anteriores a la 17.3R2-S4, 17.3R3; 17.4 en versiones anteriores a la 17.4R2 y 18.1 en versiones anteriores a la 18.1R2-S3, 18.1R3.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-11-16 CVE Reserved
2018-10-10 CVE Published
2024-07-25 EPSS Updated
2024-09-17 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://kb.juniper.net/JSA10892	2019-10-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		f2		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		f3		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		f4		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		f5		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		f6		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r2		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r3		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r4		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r5		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				15.1 Search vendor "Juniper" for product "Junos" and version "15.1"		r6		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.1 Search vendor "Juniper" for product "Junos" and version "16.1"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.1 Search vendor "Juniper" for product "Junos" and version "16.1"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.1 Search vendor "Juniper" for product "Junos" and version "16.1"		r2		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.1 Search vendor "Juniper" for product "Junos" and version "16.1"		r3		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.2 Search vendor "Juniper" for product "Junos" and version "16.2"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				16.2 Search vendor "Juniper" for product "Junos" and version "16.2"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.1 Search vendor "Juniper" for product "Junos" and version "17.1"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.1 Search vendor "Juniper" for product "Junos" and version "17.1"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.2 Search vendor "Juniper" for product "Junos" and version "17.2"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.3 Search vendor "Juniper" for product "Junos" and version "17.3"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.3 Search vendor "Juniper" for product "Junos" and version "17.3"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.4 Search vendor "Juniper" for product "Junos" and version "17.4"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				17.4 Search vendor "Juniper" for product "Junos" and version "17.4"		r1		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				18.1 Search vendor "Juniper" for product "Junos" and version "18.1"		-		Affected
Juniper Search vendor "Juniper"		Junos Search vendor "Juniper" for product "Junos"				18.1 Search vendor "Juniper" for product "Junos" and version "18.1"		r1		Affected