CVE-2018-0052

Name of the Vulnerable Software and Affected Versions Junos OS versions 12.1X46 prior to 12.1X46-D77 Junos OS versions 12.3 prior to 12.3R12-S10 Junos OS versions 12.3X48 prior to 12.3X48-D75 Junos OS versions 14.1X53 prior to 14.1X53-D47 Junos OS versions 15.1 prior to 15.1R4-S9, 15.1R6-S6, 15.1R7 Junos OS versions 15.1X49 prior to 15.1X49-D131, 15.1X49-D140 Junos OS versions 15.1X53 prior to 15.1X53-D59 Junos OS versions 15.1X53 prior to 15.1X53-D67 Junos OS versions 15.1X53 prior to 15.1X53-D233 Junos OS versions 15.1X53 prior to 15.1X53-D471, 15.1X53-D490 Junos OS versions 16.1 prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7 Junos OS versions 16.2 prior to 16.2R2-S5 Junos OS versions 17.1 prior to 17.1R1-S7, 17.1R2-S7, 17.1R3 Junos OS versions 17.2 prior to 17.2R1-S6, 17.2R2-S4, 17.2R3 Junos OS versions 17.2X75 prior to 17.2X75-D110, 17.2X75-D91 Junos OS versions 17.3 prior to 17.3R1-S4, 17.3R2-S2, 17.3R3 Junos OS versions 17.4 prior to 17.4R1-S3, 17.4R2 Junos OS versions 18.2X75 prior to 18.2X75-D5

Description The issue is related to insufficient access control in the Remote Shell (RSH) service of Junos OS. If RSH service is enabled and PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device. The RSH service is disabled by default on Junos OS, but an undocumented CLI command can be used by a privileged Junos user to enable the service and disable PAM, exposing the system to unauthenticated root access. When RSH is enabled, the device listens to RSH connections on port 514. This issue is not exploitable on platforms where the Junos release is based on FreeBSD 10+.

Recommendations For each of the affected Junos OS versions, update to the respective fixed version or later to resolve the issue. As a temporary workaround, consider disabling the RSH service until a patch is available. Restrict access to the device to minimize the risk of exploitation. Avoid using the undocumented CLI command that enables RSH service and disables PAM until the issue is resolved.