Vulnerabilities > CVE-2019-0007 - Use of Insufficiently Random Values vulnerability in Juniper Junos 15.1

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

juniper

CWE-330

nessus

NVD

Published: 2019-01-15

Updated: 2020-08-24

Summary

The vMX Series software uses a predictable IP ID Sequence Number. This leaves the system as well as clients connecting through the device susceptible to a family of attacks which rely on the use of predictable IP ID sequence numbers as their base method of attack. This issue was found during internal product security testing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F5 on vMX Series.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Junos 15.1	6
Hardware	Juniper Juniper Mx10 - Juniper Mx10003 - Juniper Mx10008 - Juniper Mx104 - Juniper Mx150 - Juniper Mx2008 - Juniper Mx2010 - Juniper Mx2020 - Juniper Mx204 - Juniper Mx240 - Juniper Mx40 - Juniper Mx480 - Juniper MX5 - Juniper Mx80 - Juniper Mx960 - Juniper VMX -	16

Common Weakness Enumeration (CWE)

CWE-330 - Use of Insufficiently Random Values

Common Attack Pattern Enumeration and Classification (CAPEC)

Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

NASL family	Junos Local Security Checks
NASL id	JUNIPER_JSA10903.NASL
description	According to its self-reported version number, the remote Junos device uses a predictable IP ID sequence number. It is, therefore, vulnerable to a family of attacks that rely on this property, including a susceptibility to being used as a
last seen	2020-06-01
modified	2020-06-02
plugin id	121129
published	2019-01-11
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121129
title	Juniper Junos vMX Predictable IP ID Sequence Numbers (JSA10903)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(121129); script_version("1.4"); script_cvs_date("Date: 2019/04/18 12:05:36"); script_cve_id("CVE-2019-0007"); script_xref(name:"JSA", value:"JSA10903"); script_name(english:"Juniper Junos vMX Predictable IP ID Sequence Numbers (JSA10903)"); script_summary(english:"Checks the Junos version and build date."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the remote Junos device uses a predictable IP ID sequence number. It is, therefore, vulnerable to a family of attacks that rely on this property, including a susceptibility to being used as a 'zombie' host in an 'idle scan' blind port scan of another remote host."); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10903"); script_set_attribute(attribute:"solution", value: "Apply the relevant Junos software release referenced in Juniper advisory JSA10903."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0007"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/09"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/11"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Junos Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("junos_version.nasl"); script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model"); exit(0); } include("audit.inc"); include("junos_kb_cmd_func.inc"); ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version'); model = get_kb_item_or_exit('Host/Juniper/model'); fixes = make_array(); # 15.1 versions prior to 15.1F5 on vMX Series. if (model == 'VMX') fixes['15.1F'] = '15.1F5'; fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE); override = FALSE; junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_HOLE);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References