Vulnerabilities > CVE-2021-0289 - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Juniper Junos

CVSS 2.9 - LOW

Attack vector

ADJACENT_NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

PARTIAL

juniper

CWE-367

NVD

Published: 2021-07-15

Updated: 2021-07-28

Summary

When user-defined ARP Policer is configured and applied on one or more Aggregated Ethernet (AE) interface units, a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability between the Device Control Daemon (DCD) and firewall process (dfwd) daemons of Juniper Networks Junos OS allows an attacker to bypass the user-defined ARP Policer. In this particular case the User ARP policer is replaced with default ARP policer. To review the desired ARP Policers and actual state one can run the command "show interfaces <> extensive" and review the output. See further details below. An example output is: show interfaces extensive | match policer Policer: Input: __default_arp_policer__ <<< incorrect if user ARP Policer was applied on an AE interface and the default ARP Policer is displayed Policer: Input: jtac-arp-ae5.317-inet-arp <<< correct if user ARP Policer was applied on an AE interface For all platforms, except SRX Series: This issue affects Juniper Networks Junos OS: All versions 5.6R1 and all later versions prior to 18.4 versions prior to 18.4R2-S9, 18.4R3-S9 with the exception of 15.1 versions 15.1R7-S10 and later versions; 19.4 versions prior to 19.4R3-S3; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2; This issue does not affect Juniper Networks Junos OS versions prior to 5.6R1. On SRX Series this issue affects Juniper Networks Junos OS: 18.4 versions prior to 18.4R2-S9, 18.4R3-S9; 19.4 versions prior to 19.4R3-S4; 20.1 versions prior to 20.1R3; 20.2 versions prior to 20.2R3-S2; 20.3 version 20.3R1 and later versions; 20.4 versions prior to 20.4R3; 21.1 versions prior to 21.1R2. This issue does not affect 18.4 versions prior to 18.4R1 on SRX Series. This issue does not affect Junos OS Evolved.

Vulnerable Configurations

Part	Description	Count
OS	Juniper Juniper Junos 5.6 Juniper Junos 5.7 Juniper Junos 6.0 Juniper Junos 6.1 Juniper Junos 6.2 Juniper Junos 6.3 Juniper Junos 6.4 Juniper Junos 7.0 Juniper Junos 7.1 Juniper Junos 7.2 Juniper Junos 7.3 Juniper Junos 7.4 Juniper Junos 7.5 Juniper Junos 7.6 Juniper Junos 8.0 Juniper Junos 8.1 Juniper Junos 8.2 Juniper Junos 8.3 Juniper Junos 8.4 Juniper Junos 9.0 Juniper Junos 9.1 Juniper Junos 9.2 Juniper Junos 9.4 Juniper Junos 9.5 Juniper Junos 9.6 Juniper Junos 10.0 Juniper Junos 10.1 Juniper Junos 10.2 Juniper Junos 10.3 Juniper Junos 10.4 Juniper Junos 10.4R Juniper Junos 10.4S Juniper Junos 11.0 Juniper Junos 11.1 Juniper Junos 11.2 Juniper Junos 11.3 Juniper Junos 11.4 Juniper Junos 11.4R13 Juniper Junos 11.4X27 Juniper Junos 12.1 Juniper Junos 12.1R Juniper Junos 12.1X44 Juniper Junos 12.1X45 Juniper Junos 12.1X46 Juniper Junos 12.1X46-D10 Juniper Junos 12.1X47 Juniper Junos 12.2 Juniper Junos 12.2X50 Juniper Junos 12.2X65 Juniper Junos 12.3 Juniper Junos 12.3R12 Juniper Junos 12.3X48 Juniper Junos 12.3X50 Juniper Junos 13.1 Juniper Junos 13.1X49 Juniper Junos 13.1X50 Juniper Junos 13.2 Juniper Junos 13.2X51 Juniper Junos 13.2X52 Juniper Junos 13.3 Juniper Junos 13.3R9 Juniper Junos 14.1 Juniper Junos 14.1R7 Juniper Junos 14.1X50 Juniper Junos 14.1X51 Juniper Junos 14.1X53 Juniper Junos 14.1X53-D10 Juniper Junos 14.1X53-D15 Juniper Junos 14.1X53-D25 Juniper Junos 14.1X53-D26 Juniper Junos 14.1X53-D27 Juniper Junos 14.1X53-D30 Juniper Junos 14.1X53-D35 Juniper Junos 14.1X55 Juniper Junos 14.2 Juniper Junos 14.2R6 Juniper Junos 15.2 Juniper Junos 16 Juniper Junos 16.1 Juniper Junos 16.1R4-S12 Juniper Junos 16.1R6-S6 Juniper Junos 16.1R7-S3 Juniper Junos 16.1X65 Juniper Junos 16.1X70 Juniper Junos 16.2 Juniper Junos 17.1 Juniper Junos 17.1R3 Juniper Junos 17.2 Juniper Junos 17.2R3 Juniper Junos 17.2X75 Juniper Junos 17.3 Juniper Junos 17.3R3 Juniper Junos 17.3R3-S2 Juniper Junos 17.3R4 Juniper Junos 17.4 Juniper Junos 17.4R2-S1 Juniper Junos 17.4R2-S2 Juniper Junos 17.4R3 Juniper Junos 18 Juniper Junos 18.1 Juniper Junos 18.1R Juniper Junos 18.1R3-S1 Juniper Junos 18.1R4 Juniper Junos 18.1X75 Juniper Junos 18.2 Juniper Junos 18.2R Juniper Junos 18.2R2 Juniper Junos 18.2X75 Juniper Junos 18.2X75-D10 Juniper Junos 18.2X75-D30 Juniper Junos 18.3 Juniper Junos 18.3R Juniper Junos 18.3R2 Juniper Junos 18.4 Juniper Junos 19.4 Juniper Junos 20.1 Juniper Junos 20.2 Juniper Junos 20.4 Juniper Junos 21.1 Juniper Junos 20.3	637
Hardware	Juniper Juniper Acx1000 - Juniper Acx1100 - Juniper Acx2000 - Juniper Acx2100 - Juniper Acx2200 - Juniper Acx4000 - Juniper Acx500 - Juniper Acx5000 - Juniper Acx5048 - Juniper Acx5096 - Juniper Acx5400 - Juniper Ex2200 - Juniper Ex3300 - Juniper Ex3200 - Juniper Ex2200 C - Juniper Ex2300 - Juniper Ex2300 C - Juniper Ex2200 VC - Juniper Acx5448 - Juniper Atp700 - Juniper Atp400 - Juniper Acx6360 - Juniper Csrx - Juniper Ex2300M - Juniper Acx710 - Juniper Acx5800 - Juniper Acx6300 - Juniper Ctp150 - Juniper Ctp2008 - Juniper Ctp2024 - Juniper Ctp2056 - Juniper DX - Juniper DX 5.1 Juniper Ex4300 - Juniper Ex4600 - Juniper Ex3300 VC - Juniper Ex4200 - Juniper Ex4200 VC - Juniper Ex4300 VC - Juniper Ex4500 - Juniper Ex4500 VC - Juniper Ex4550 - Juniper Ex4550 VC - Juniper Ex4600 VC - Juniper Ex6200 - Juniper Ex8200 - Juniper Ex8200 VC - Juniper Ex3400 - Juniper Ex9200 - Juniper Ex4550/Vc - Juniper Ex4650 - Juniper Ex6210 - Juniper Ex8208 - Juniper Ex8216 - Juniper Ex9204 - Juniper Ex4300 MP - Juniper Ex4300M - Juniper Ex4300 24P - Juniper Ex4300 48T - Juniper Ex4300 48T AFI - Juniper Ex4300 48T DC - Juniper Ex4300 48T DC AFI - Juniper Ex4300 48Mp - Juniper Ex4300 32F - Juniper Ex4300 32F DC - Juniper Ex4300 48T S - Juniper Ex4300 48Tdc - Juniper Ex4300 48Tafi - Juniper Ex4300 48Tdc AFI - Juniper Ex4300 48P S - Juniper Ex4300 48P - Juniper Ex4300 48Mp S - Juniper Ex4300 24T S - Juniper Ex4300 24P S - Juniper Ex4300 32F S - Juniper Ex4300 24T - Juniper Ex4400 - Juniper Netscreen IDP 3.0 Juniper Netscreen IDP 3.0R1 Juniper Netscreen IDP 3.0R2 Juniper Infranet Controller 6500 - Juniper Mag2600 Gateway - Juniper Infranet Controller 4000 - Juniper Fips Secure Access 6000 - Juniper MX - Juniper Mag6610 Gateway - Juniper Fips Infranet Controller 6500 - Juniper Fips Secure Access 6500 - Juniper Netscreen 5400 - Juniper Netscreen 5200 - Juniper Fips Secure Access 4500 - Juniper Infranet Controller 6000 - Juniper Idp250 - Juniper Nsmexpress - Juniper Fips Secure Access 4000 - Juniper Nfx250 - Juniper Junos Space Ja1500 Appliance - Juniper Junos Space Ja2500 Appliance - Juniper Nsm3000 - Juniper Idp8200 - Juniper Idp800 - Juniper Netscreen 5GT 5.0 Juniper Netscreen 5GT - Juniper Infranet Controller 4500 - Juniper Idp75 - Juniper Mag4610 Gateway - Juniper Mag6611 Gateway - Juniper MX5 - Juniper Mx10 - Juniper Mx40 - Juniper Mx80 - Juniper Mx104 - Juniper Mx240 - Juniper Mx480 - Juniper Mx960 - Juniper Mx2010 - Juniper Mx2020 - Juniper EX RPS - Juniper NFX - Juniper Junos - Juniper Nfx150 - Juniper Ex9208 - Juniper Ex9214 - Juniper Ex9251 - Juniper Ex9253 - Juniper Ocx1100 - Juniper Mx150 - Juniper Mx204 - Juniper Mx2008 - Juniper Mx10003 - Juniper Mx10008 - Juniper Ptx1000 - Juniper Ptx3000 - Juniper Ptx5000 - Juniper Ptx10002 - Juniper Ptx10008 - Juniper Ptx10016 - Juniper M7I - Juniper M10I - Juniper M120 - Juniper M320 - Juniper Ln1000 - Juniper Ln2600 - Juniper Gfx3600 - Juniper Ex9250 - Juniper Mx10016 - Juniper Ptx10000 - Juniper Ptx10001 - Juniper Ptx10003 - Juniper Mx10000 - Juniper Nfx350 - Juniper Ptx10001 36Mr - Juniper Ptx10004 - Juniper Ptx100016 - Juniper Ptx1000 72Q - Juniper Ptx10002 60C - Juniper Ptx10003 160C - Juniper Ptx10003 80C - Juniper Ptx10003 81Cd - Juniper Jatp 400 Juniper Jatp 700 Juniper Netscreen IDP 10 - Juniper Netscreen IDP 100 - Juniper Netscreen IDP 1000 - Juniper Netscreen IDP 500 - Juniper Secure Access 2000 - Juniper Secure Access 6000 - Juniper Secure Access 4000 - Juniper Secure Access 4500 - Juniper Secure Access 700 - Juniper Qfx3500 - Juniper Qfx10000 - Juniper Qfx3600 - Juniper Qfx5110 - Juniper Secure Access 2500 - Juniper Qfx10002 - Juniper Qfx10016 - Juniper Qfx10008 - Juniper Qfx5100 - Juniper Qfx5200 - Juniper Secure Access 6500 - Juniper Xre200 - Juniper Qfx3000 G - Juniper Qfx3000 M - Juniper Qfx5120 - Juniper Qfx5210 - Juniper T320 - Juniper T640 - Juniper T1600 - Juniper T4000 - Juniper Qfx5200 48Y - Juniper Qfx5200 32C - Juniper Qfx5210 64C - Juniper Qfx3100 - Juniper Qfx3008 I - Juniper Qfx3600 I - Juniper Qfx5220 - Juniper Qfx5130 - Juniper Qfx5100 96S - Juniper Qfx10002 60C - Juniper Qfx10002 72Q - Juniper Qfx10002 32Q - Juniper Router M10 - Juniper Router M16 - Juniper Router M20 - Juniper Router M40 - Juniper Router M5 - Juniper Srx100 - Juniper Srx110 - Juniper Srx1400 - Juniper Srx1500 - Juniper Srx210 - Juniper Srx220 - Juniper Srx240 - Juniper Srx240H2 - Juniper Srx300 - Juniper Srx320 - Juniper Srx340 - Juniper Srx650 - Juniper Srx5600 - Juniper Srx3400 - Juniper Srx3600 - Juniper Srx5800 - Juniper Srx550 - Juniper Srx4200 - Juniper Srx4100 - Juniper Srx5400 - Juniper Srx4000 - Juniper Srx345 - Juniper Srx4600 - Juniper Srx550 HM - Juniper Srx550M - Juniper Srx380 - Juniper Srx5000 -	234

Common Weakness Enumeration (CWE)

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to her. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file she will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

References

https://kb.juniper.net/JSA11191