16.1

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

juniper

nessus

NVD

Published: 2019-10-09

Updated: 2021-02-05

Summary

The management daemon (MGD) is responsible for all configuration and management operations in Junos OS. The Junos CLI communicates with MGD over an internal unix-domain socket and is granted special permission to open this protected mode socket. Due to a misconfiguration of the internal socket, a local, authenticated user may be able to exploit this vulnerability to gain administrative privileges. This issue only affects Linux-based platforms. FreeBSD-based platforms are unaffected by this vulnerability. Exploitation of this vulnerability requires Junos shell access. This issue cannot be exploited from the Junos CLI. This issue affects Juniper Networks Junos OS: 15.1X49 versions prior to 15.1X49-D171, 15.1X49-D180; 15.1X53 versions prior to 15.1X53-D496, 15.1X53-D69; 16.1 versions prior to 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R1-S7, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Junos 15.1X49 Juniper Junos 15.1X53 Juniper Junos 16.1 Juniper Junos 16.2 Juniper Junos 17.1 Juniper Junos 17.2 Juniper Junos 17.3 Juniper Junos 17.4 Juniper Junos 18.1 Juniper Junos 18.2 Juniper Junos 18.3	111

Nessus

NASL family	Junos Local Security Checks
NASL id	JUNIPER_JSA10960.NASL
description	The version of Junos OS installed on the remote host is prior to 15.1X49-D171, 15.1X53-D496, 16.1R7-S4, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.3R3-S4, 17.4R1-S6, 18.1R2-S4, 18.2R1-S5, 18.3R1-S3, or 18.4R1-S2. It is, therefore, affected by a vulnerability as referenced in the JSA10960 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	132046
published	2019-12-13
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132046
title	Juniper JSA10960
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(132046); script_version("1.1"); script_cvs_date("Date: 2019/12/13"); script_cve_id("CVE-2019-0061"); script_xref(name:"JSA", value:"JSA10960"); script_name(english:"Juniper JSA10960"); script_set_attribute(attribute:"synopsis", value: "The remote device is missing a vendor-supplied security patch."); script_set_attribute(attribute:"description", value: "The version of Junos OS installed on the remote host is prior to 15.1X49-D171, 15.1X53-D496, 16.1R7-S4, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.3R3-S4, 17.4R1-S6, 18.1R2-S4, 18.2R1-S5, 18.3R1-S3, or 18.4R1-S2. It is, therefore, affected by a vulnerability as referenced in the JSA10960 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA10960"); script_set_attribute(attribute:"solution", value: "Apply the relevant Junos software release referenced in Juniper advisory JSA10960"); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0061"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/13"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Junos Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("junos_version.nasl"); script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model"); exit(0); } include("audit.inc"); include("junos.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version'); model = get_kb_item_or_exit('Host/Juniper/model'); if (model !~ '^PTX10003' && model !~ '^QFX5200' && model !~ 'QFX5220') audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver); fixes = make_array(); fixes["16.1"] = "16.1R7-S4"; fixes["16.2"] = "16.2R2-S9"; fixes["17.1"] = "17.1R3"; fixes["17.3"] = "17.3R3-S4"; if (report_paranoia >= 2) { fixes["15.1X49"] = "15.1X49-D171"; # 15.1X49-D171, 15.1X49-D180; fixes["15.1X53"] = "15.1X53-D69"; # 15.1X53-D496, 15.1X53-D69; } # 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; if (ver =~ "^17\.2R1($\|[^0-9])") fixes['17.2R'] = '17.2R1-S8'; else if (ver =~ "^17\.2R2($\|[^0-9])") fixes['17.2R'] = '17.2R2-S7'; else if (ver =~ "^17\.2R3($\|[^0-9])") fixes['17.2R'] = '17.2R3-S1'; # 17.4 versions prior to 17.4R1-S6, 17.4R1-S7, 17.4R2-S3, 17.4R3; if (ver =~ "^17\.4R1($\|[^0-9])") fixes['17.4R'] = '17.4R1-S6'; else if (ver =~ "^17\.4R2($\|[^0-9])") fixes['17.4R'] = '17.4R2-S3'; else if (ver =~ "^17\.4R3($\|[^0-9])") fixes['17.4R'] = '17.4R3'; # 18.1 versions prior to 18.1R2-S4, 18.1R3-S4; if (ver =~ "^18\.1R2($\|[^0-9])") fixes['18.1R'] = '18.1R2-S4'; else if (ver =~ "^18\.1R3($\|[^0-9])") fixes['18.1R'] = '18.1R3-S4'; # 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; if (ver =~ "^18\.2R1($\|[^0-9])") fixes['18.2R'] = '18.2R1-S5'; else if (ver =~ "^18\.2R2($\|[^0-9])") fixes['18.2R'] = '18.2R2-S2'; else if (ver =~ "^18\.2R3($\|[^0-9])") fixes['18.2R'] = '18.2R3'; # 18.3 versions prior to 18.3R1-S3, 18.3R2; if (ver =~ "^18\.3R1($\|[^0-9])") fixes['18.3R'] = '18.3R1-S3'; else if (ver =~ "^18\.3R2($\|[^0-9])") fixes['18.3R'] = '18.3R2'; # 18.4 versions prior to 18.4R1-S2, 18.4R2; if (ver =~ "^18\.4R1($\|[^0-9])") fixes['18.4R'] = '18.4R1-S2'; else if (ver =~ "^18\.4R2($\|[^0-9])") fixes['18.4R'] = '18.4R2'; fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE); report = get_report(ver:ver, fix:fix); security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);

References

https://kb.juniper.net/JSA10960