CVE-2020-1637

Name of the Vulnerable Software and Affected Versions: Juniper Networks Junos OS on SRX Series versions 12.3X48 prior to 12.3X48-D100 Juniper Networks Junos OS on SRX Series versions 15.1X49 prior to 15.1X49-D210 Juniper Networks Junos OS on SRX Series versions 17.3 prior to 17.3R2-S5, 17.3R3-S8 Juniper Networks Junos OS on SRX Series versions 17.4 prior to 17.4R2-S9, 17.4R3-S1 Juniper Networks Junos OS on SRX Series versions 18.1 prior to 18.1R3-S10 Juniper Networks Junos OS on SRX Series versions 18.2 prior to 18.2R2-S7, 18.2R3-S3 Juniper Networks Junos OS on SRX Series versions 18.3 prior to 18.3R1-S7, 18.3R3-S2 Juniper Networks Junos OS on SRX Series versions 18.4 prior to 18.4R1-S6, 18.4R2-S4, 18.4R3-S1 Juniper Networks Junos OS on SRX Series versions 19.1 prior to 19.1R1-S4, 19.1R2-S1, 19.1R3 Juniper Networks Junos OS on SRX Series versions 19.2 prior to 19.2R1-S3, 19.2R2 Juniper Networks Junos OS on SRX Series versions 19.3 prior to 19.3R2-S1, 19.3R3 Juniper Networks Junos OS on SRX Series versions 19.4 prior to 19.4R1-S1, 19.4R2

Description: A vulnerability in Juniper Networks SRX Series device configured as a Junos OS Enforcer device may allow a user to access network resources that are not permitted by a UAC policy. This issue might occur when the IP address range configured in the Infranet Controller (IC) is configured as an IP address range instead of an IP address/netmask. The Junos OS Enforcer CLI settings are disabled by default. The issue is related to authentication weaknesses.

Recommendations: As a temporary workaround, consider disabling the Junos OS Enforcer CLI settings until a patch is available. Restrict access to the Infranet Controller (IC) to minimize the risk of exploitation. Avoid using IP address ranges instead of IP address/netmask in the IC configuration until the issue is resolved. Update to a fixed version of Juniper Networks Junos OS on SRX Series for each affected version. For versions 12.3X48, update to 12.3X48-D100 or later. For versions 15.1X49, update to 15.1X49-D210 or later. For versions 17.3, update to 17.3R2-S5, 17.3R3-S8 or later. For versions 17.4, update to 17.4R2-S9, 17.4R3-S1 or later. For versions 18.1, update to 18.1R3-S10 or later. For versions 18.2, update to 18.2R2-S7, 18.2R3-S3 or later. For versions 18.3, update to 18.3R1-S7, 18.3R3-S2 or later. For versions 18.4, update to 18.4R1-S6, 18.4R2-S4, 18.4R3-S1 or later. For versions 19.1, update to 19.1R1-S4, 19.1R2-S1, 19.1R3 or later. For versions 19.2, update to 19.2R1-S3, 19.2R2 or later. For versions 19.3, update to 19.3R2-S1, 19.3R3 or later. For versions 19.4, update to 19.4R1-S1, 19.4R2 or later.