code | #TRUSTED 17d93b71675cd32280a73869934b8c3cd2efaeac238bd40a89f2406dcec2556fe2a9532dbc66b6140e1e287b143dbd6048fdcb9e14d7d25ffff62c0906f31fd770afaa392e64ecbac0e742bf83e43c339d9d5f6f460dbf895d32b8ffeeb22c21da25a131576fd5fe272e1ae4654a7388f24b105af0eee47ec577cb50fa9fd8865f620169f3ce8475467dddc211d79e4e6c3433591eb01367a2a8a55bd82f936bf529fccf9e8a7c55479e7f508282b4b8247c5a81e858059ba700ccedb21c44550061ce0b6b746cb47bf19204a96c0f600d57be924472a2d66863552e44e7d2a5b9836bbe05e94a1153eb90658579aef58addb5998460f57c92af6b0afec3d1bff2664d1c2c44ea65b624abfbcedae439f12314b072a2c1a48d0b5c1fddcc83da3fbf4f7bcb82aa85455810762e2caa226c6027735ed021d084abac0176c98a334c631cf1359a59f6d72b6008c4daa2ea8947d9815b7659cc47c0ae284a3e3997dc8b75379b0ba3e9ca41d860c9c3adfd41f839e686577b99177cea5be6a92802eae14b08bbbd8eb4c86c522c1e59c756172758adb90043f0d678aad1fc41be0a9a165d6d8afbb527aff2651da60ba8f2947e1c4495804849cbe77341342819b6ec1d1dc0f5f4988a35059c6ed9173474cd1b955d27963ead3155ac6481f07770fc50553eb03c2ccbf3944faa053ea30b717154ea1277af8f94fd77b15a28ecb3
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(133050);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/28");
script_cve_id("CVE-2020-1606");
script_xref(name:"JSA", value:"JSA10985");
script_xref(name:"IAVA", value:"2020-A-0083");
script_name(english:"Junos OS: Path traversal vulnerability in J-Web (JSA10985)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, a path traversal vulnerability in the Juniper Networks
Junos OS device may allow an authenticated J-web user to read files with 'world' readable permission and
delete files with 'world' writeable permission.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10985");
script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA10985.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1606");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/01/16");
script_set_attribute(attribute:"patch_publication_date", value:"2020/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/17");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Junos Local Security Checks");
script_dependencies("junos_version.nasl");
script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
exit(0);
}
include('audit.inc');
include('junos.inc');
include('junos_kb_cmd_func.inc');
include('misc_func.inc');
ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
fixes = make_array();
#15.1X49 versions prior to 15.1X49-D180 on SRX Series;
#12.3X48 versions prior to 12.3X48-D85 on SRX Series;
if (model =~ '^SRX')
fixes['12.3X48'] = '12.3X48-D85';
fixes['15.1X49'] = '15.1X49-D180';
#15.1X53 versions prior to 15.1X53-D238 on QFX5200/QFX5110 Series;
if (model =~ '^QFX5200' || model =~ '^QFX5110' )
fixes['15.1X53'] = '15.1X53-D238';
#16.1 versions prior to 16.1R4-S13, 16.1R7-S5;
#17.2 versions prior to 17.2R1-S9, 17.2R3-S2;
#17.3 versions prior to 17.3R2-S5, 17.3R3-S5;
#17.4 versions prior to 17.4R2-S9, 17.4R3;
#18.3 versions prior to 18.3R2-S3, 18.3R3;
#18.3 versions prior to 18.3R2-S3, 18.3R3;
if (ver =~ "^16\.1R4")
fixes['16.1'] = '16.1R4-S13';
else
fixes['16.1'] = '16.1R7-S5';
if (ver =~ "^17\.2R1")
fixes['17.2'] = '17.2R1-S9';
else
fixes['17.2'] = '17.2R3-S2';
if (ver =~ "^17\.3R2")
fixes['17.3'] = '17.3R2-S5';
else
fixes['17.3'] = '17.3R3-S5';
if (ver =~ "^17\.4R2")
fixes['17.4'] = '17.4R2-S9';
else
fixes['17.4'] = '17.4R3';
if (ver =~ "^18\.3R2")
fixes['18.3'] = '18.3R2-S3';
else
fixes['18.3'] = '18.3R3';
if (ver =~ "^19\.1R1")
fixes['19.1'] = '19.1R1-S4';
else
fixes['19.1'] = '19.1R2';
fixes['12.3'] = '12.3R12-S13';
fixes['14.1X53'] = '14.1X53-D51';
fixes['15.1'] = '15.1R7-S5';
fixes['15.1F6'] = '15.1F6-S13';
fixes['16.2'] = '16.2R2-S10';
fixes['17.1'] = '17.1R3-S1';
fixes['18.1'] = '18.1R3-S8';
fixes['18.2'] = '18.2R3';
fixes['18.4'] = '18.4R2';
fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
override = TRUE;
buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
override = FALSE;
pattern = "^set system services web-management http(s)?";
if (!junos_check_config(buf:buf, pattern:pattern))
audit(AUDIT_HOST_NOT, 'vulnerable as J-Web is not enabled');
}
junos_report(model:model, ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);
|