// For flags

CVE-2018-0057

Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address)

Severity Score

9.6
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile. In the problem scenario, with a hardware-address and IP address configured under address-assignment pool, if a subscriber logging in with DHCP Option 50, the subscriber will not be assigned an available address from the matched pool, but will still get the requested IP address. A malicious DHCP subscriber may be able to utilize this vulnerability to create duplicate IP address assignments, leading to a denial of service for valid subscribers or unauthorized information disclosure via IP address assignment spoofing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S2, 15.1R8; 16.1 versions prior to 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3.

En las plataformas MX Series y M120/M320 configuradas en un entorno Broadband Edge (BBE), los suscriptores que inician sesión con DHCP Option 50 para solicitar una dirección IP específica tendrán asignada la dirección IP que soliciten, incluso aunque haya un enlace de MAC estática a dirección IP en el perfil de acceso. En el escenario de problemas, con una dirección de hardware y una dirección IP configurada bajo el grupo address-assignment, si un suscriptor inicia sesión con DHCP Option 50, éste no recibirá una dirección disponible del grupo de coincidencias, pero seguirá recibiendo la dirección IP solicitada. Un suscriptor DHCP malicioso podría ser capaz de emplear esta vulnerabilidad para crear asignaciones de direcciones IP duplicadas, lo que conduce a una denegación de servicio (DoS) para los suscriptores válidos o la divulgación de información no autorizada mediante la suplantación de asignaciones de direcciones IP. Las versiones afectadas de Juniper Networks Junos OS son: 15.1 en versiones anteriores a la 15.1R7-S2, 15.1R8; 16.1 en versiones anteriores a la 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 en versiones anteriores a la 16.2R2-S7, 16.2R3; 17.1 en versiones anteriores a la 17.1R2-S9, 17.1R3; 17.2 en versiones anteriores a la 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 en versiones anteriores a la 17.3R2-S4, 17.3R3; 17.4 en versiones anteriores a la 17.4R2 y 18.1 en versiones anteriores a la 18.1R2-S3, 18.1R3.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-16 CVE Reserved
  • 2018-10-10 CVE Published
  • 2024-07-25 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://kb.juniper.net/JSA10892 2019-10-09
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
f2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
f3
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
f4
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
f5
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
f6
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r3
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r4
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r5
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
15.1
Search vendor "Juniper" for product "Junos" and version "15.1"
r6
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.1
Search vendor "Juniper" for product "Junos" and version "16.1"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.1
Search vendor "Juniper" for product "Junos" and version "16.1"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.1
Search vendor "Juniper" for product "Junos" and version "16.1"
r2
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.1
Search vendor "Juniper" for product "Junos" and version "16.1"
r3
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.2
Search vendor "Juniper" for product "Junos" and version "16.2"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
16.2
Search vendor "Juniper" for product "Junos" and version "16.2"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.1
Search vendor "Juniper" for product "Junos" and version "17.1"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.1
Search vendor "Juniper" for product "Junos" and version "17.1"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.2
Search vendor "Juniper" for product "Junos" and version "17.2"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.3
Search vendor "Juniper" for product "Junos" and version "17.3"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.3
Search vendor "Juniper" for product "Junos" and version "17.3"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.4
Search vendor "Juniper" for product "Junos" and version "17.4"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
17.4
Search vendor "Juniper" for product "Junos" and version "17.4"
r1
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
18.1
Search vendor "Juniper" for product "Junos" and version "18.1"
-
Affected
Juniper
Search vendor "Juniper"
Junos
Search vendor "Juniper" for product "Junos"
18.1
Search vendor "Juniper" for product "Junos" and version "18.1"
r1
Affected