Vulnerabilities > CVE-2019-0039 - Improper Restriction of Excessive Authentication Attempts vulnerability in Juniper Junos

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
juniper
CWE-307
nessus

Summary

If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.

Nessus

NASL familyJunos Local Security Checks
NASL idJUNIPER_JSA10928.NASL
descriptionThe version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the JSA10928 advisory. If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen2020-06-10
modified2019-05-21
plugin id125309
published2019-05-21
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/125309
titleJuniper JSA10928
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125309);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/09");

  script_cve_id("CVE-2019-0039");
  script_bugtraq_id(107899);
  script_xref(name:"JSA", value:"JSA10928");

  script_name(english:"Juniper JSA10928");
  script_summary(english:"Checks the Junos version and build date.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of tested product installed on the remote host is prior to
tested version. It is, therefore, affected by a vulnerability as
referenced in the JSA10928 advisory. 

If REST API is enabled, the Junos OS login credentials are vulnerable to
brute force attacks. The high default connection limit of the REST API may
allow an attacker to brute-force passwords using advanced scripting techniques.
Additionally, administrators who do not enforce a strong password policy can
increase the likelihood of success from brute force attacks.

Note that Nessus has not tested for this issue but has instead relied only on
the application's self-reported version number.");
  # https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10928
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b019a7f");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper
advisory JSA10928");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0039");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/04/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/21");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version");

  exit(0);
}

include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');
include('misc_func.inc');

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
fixes = make_array();

fixes['14.1X53'] = '14.1X53-D49';
fixes['15.1'] = '15.1F6-S12';
fixes['15.1X49'] = '15.1X49-D160';
fixes['15.1X53'] = '15.1X53-D236';
fixes['16.1'] = '16.1R3-S10';
fixes['16.1X65'] = '16.1X65-D49';
fixes['16.2'] = '16.2R2-S7';
fixes['17.1'] = '17.1R2-S10';
fixes['17.2'] = '17.2R1-S8';
fixes['17.3'] = '17.3R3-S2';
fixes['17.4'] = '17.4R1-S6';
fixes['18.1'] = '18.1R2-S4';
fixes['18.2'] = '18.2R1-S5';
fixes['18.2X75'] = '18.2X75-D30';
fixes['18.3'] = '18.3R1-S1';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);


override = TRUE;
buf = junos_command_kb_item(cmd:"show configuration system services rest | display set");

if (buf)
{
  override = FALSE;
  pattern_rest_api_http = '^set system services rest http';
  pattern_rest_explorer = '^set system services rest enable-explorer';

  if (!junos_check_config(buf:buf, pattern:pattern_rest_api_http) &&
      !junos_check_config(buf:buf, pattern:pattern_rest_explorer))
    audit(AUDIT_HOST_NOT, 'vulnerable as it does not appear to have rest api enabled');

  # Rest API enabled but workaround setup
  # set system services rest control connection-limit 100
  pattern_workaround  = 'set system services rest control connection-limit 100';
  if (junos_check_config(buf:buf, pattern:pattern_workaround))
  {
    audit(AUDIT_HOST_NOT, 'vulnerable as control connection-limit 100 is set enabled');
  }
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);