Vulnerabilities > CVE-2019-0036 - Improper Check for Unusual or Exceptional Conditions vulnerability in Juniper Junos

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

juniper

CWE-754

critical

nessus

NVD

Published: 2019-04-10

Updated: 2021-02-05

Summary

When configuring a stateless firewall filter in Junos OS, terms named using the format "internal-n" (e.g. "internal-1", "internal-2", etc.) are silently ignored. No warning is issued during configuration, and the config is committed without error, but the filter criteria will match all packets leading to unexpected results. Affected releases are Juniper Networks Junos OS: All versions prior to and including 12.3; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D161, 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D69; 16.1 versions prior to 16.1R7-S4, 16.1R7-S5; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S7, 17.4R2-S3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; 18.2 versions prior to 18.2R1-S5, 18.2R2-S1; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3; 18.4 versions prior to 18.4R1-S1, 18.4R1-S2.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Junos 15.1 Juniper Junos 15.1F6-S2 Juniper Junos 15.1F6-S1 Juniper Junos 15.1F6-S4 Juniper Junos 15.1F6-S5 Juniper Junos 15.1F6-S6 Juniper Junos 15.1F6-S7 Juniper Junos 15.1F6-S8 Juniper Junos 15.1F6-S9 Juniper Junos 15.1F6-S10 Juniper Junos 15.1F6-S11 Juniper Junos 15.1X49 Juniper Junos 15.1X53 Juniper Junos 16.1 Juniper Junos 17.3 Juniper Junos 17.2 Juniper Junos 17.4 Juniper Junos 18.1 Juniper Junos 18.2 Juniper Junos 18.3 Juniper Junos 18.2X75 Juniper Junos - Juniper Junos 4.0 Juniper Junos 4.1 Juniper Junos 4.2 Juniper Junos 4.3 Juniper Junos 4.4 Juniper Junos 5.0 Juniper Junos 5.0R3 Juniper Junos 5.0R4 Juniper Junos 5.1 Juniper Junos 5.2 Juniper Junos 5.3 Juniper Junos 5.4 Juniper Junos 5.5 Juniper Junos 5.6 Juniper Junos 5.7 Juniper Junos 6.0 Juniper Junos 6.1 Juniper Junos 6.2 Juniper Junos 6.3 Juniper Junos 6.4 Juniper Junos 7.0 Juniper Junos 7.1 Juniper Junos 7.2 Juniper Junos 7.3 Juniper Junos 7.4 Juniper Junos 7.5 Juniper Junos 7.6 Juniper Junos 8.0 Juniper Junos 8.1 Juniper Junos 8.2 Juniper Junos 8.3 Juniper Junos 8.4 Juniper Junos 9.0 Juniper Junos 9.1 Juniper Junos 9.2 Juniper Junos 9.4 Juniper Junos 9.5 Juniper Junos 9.6 Juniper Junos 10.0 Juniper Junos 10.1 Juniper Junos 10.2 Juniper Junos 10.3 Juniper Junos 10.4 Juniper Junos 10.4R Juniper Junos 10.4S Juniper Junos 11.0 Juniper Junos 11.1 Juniper Junos 11.2 Juniper Junos 11.3 Juniper Junos 11.4 Juniper Junos 11.4R13 Juniper Junos 11.4X27 Juniper Junos 12.1 Juniper Junos 12.1R Juniper Junos 12.1X44 Juniper Junos 12.1X45 Juniper Junos 12.1X46 Juniper Junos 12.1X46-D10 Juniper Junos 12.1X46-D76 Juniper Junos 12.1X47 Juniper Junos 12.2 Juniper Junos 12.2X50 Juniper Junos 12.2X65 Juniper Junos 14.1X53 Juniper Junos 18.4	248

Common Weakness Enumeration (CWE)

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Nessus

NASL family	Junos Local Security Checks
NASL id	JUNIPER_JSA10925.NASL
description	The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10925 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	124031
published	2019-04-15
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/124031
title	Juniper JSA10925
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(124031); script_version("1.2"); script_cvs_date("Date: 2019/08/20 6:39:51"); script_cve_id("CVE-2019-0036"); script_name(english:"Juniper JSA10925"); script_summary(english:"Checks the Junos version and build date."); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10925 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self- reported version number."); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16613"); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16765"); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/KB16446"); script_set_attribute(attribute:"solution", value: "Apply the relevant Junos software release referenced in Juniper advisory JSA10925"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0036"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/10"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/15"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Junos Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("junos_version.nasl"); script_require_keys("Host/Juniper/JUNOS/Version"); exit(0); } include("audit.inc"); include("junos.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version'); fixes = make_array(); if (ver !~ '14.1X53-D49') # not vuln but in same 14.1X53 series fixes['14.1X53'] = '14.1X53-D130'; fixes['15.1F'] = '15.1F6-S12'; fixes['15.1R'] = '15.1R7-S4'; fixes['15.1X49'] = '15.1X49-D161'; # or 15.1X49-D170 fixes['15.1X53'] = '15.1X53-D236'; # or 15.1X53-D496 fixes['16.1'] = '16.1R7-S4'; fixes['16.2'] = '16.2R2-S9'; fixes['17.1'] = '17.1R3'; if (ver =~ "^17\.2R1") fixes['17.2R'] = '17.2R1-S8'; else fixes['17.2R'] = '17.2R4-S1'; fixes['17.3'] = '17.3R3-S4'; fixes['17.4'] = '17.4R1-S7'; if (ver =~ "^18\.1R2") fixes['18.1R'] = '18.1R2-S4'; else fixes['18.1R'] = '18.1R3-S4'; if (ver =~ "^18\.2R1") fixes['18.2'] = '18.2R1-S5'; else fixes['18.2'] = '18.2R2-S1'; fixes['18.2X75'] = '18.2X75-D40'; fixes['18.3'] = '18.3R1-S3'; fixes['18.4'] = '18.4R1-S1'; fixes['19.1'] = '19.1R1'; fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE); report = get_report(ver:ver, fix:fix); security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);

References

https://kb.juniper.net/JSA10925