PT-2024-2854 · Juniper Networks · Junos+1

Published

2024-04-10

·

Updated

2024-05-16

·

CVE-2024-21615

CVSS v4.0

5.1

Medium

VectorAV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 21.2R3-S7 Junos OS versions 21.4 through 21.4R3-S5 Junos OS versions 22.1 through 22.1R3-S5 Junos OS versions 22.2 through 22.2R3-S3 Junos OS versions 22.3 through 22.3R3-S2 Junos OS versions 22.4 through 22.4R3 Junos OS versions 23.2 through 23.2R1-S2 Junos OS Evolved versions prior to 21.2R3-S7-EVO Junos OS Evolved versions 21.3 through 21.3R3-S5-EVO Junos OS Evolved versions 21.4 through 21.4R3-S5-EVO Junos OS Evolved versions 22.1 through 22.1R3-S5-EVO Junos OS Evolved versions 22.2 through 22.2R3-S3-EVO Junos OS Evolved versions 22.3 through 22.3R3-S2-EVO Junos OS Evolved versions 22.4 through 22.4R3-EVO Junos OS Evolved versions 23.2 through 23.2R1-S2
Description The issue is related to an Incorrect Default Permissions vulnerability in Juniper Networks Junos OS and Junos OS Evolved, allowing a local, low-privileged attacker to access confidential information on the system. When NETCONF traceoptions are configured and a super-user performs specific actions via NETCONF, a low-privileged user can access sensitive information, compromising the confidentiality of the system.
Recommendations For Junos OS versions prior to 21.2R3-S7, update to version 21.2R3-S7 or later. For Junos OS versions 21.4 through 21.4R3-S5, update to version 21.4R3-S5 or later. For Junos OS versions 22.1 through 22.1R3-S5, update to version 22.1R3-S5 or later. For Junos OS versions 22.2 through 22.2R3-S3, update to version 22.2R3-S3 or later. For Junos OS versions 22.3 through 22.3R3-S2, update to version 22.3R3-S2 or later. For Junos OS versions 22.4 through 22.4R3, update to version 22.4R3 or later. For Junos OS versions 23.2 through 23.2R1-S2, update to version 23.2R1-S2 or later. For Junos OS Evolved versions prior to 21.2R3-S7-EVO, update to version 21.2R3-S7-EVO or later. For Junos OS Evolved versions 21.3 through 21.3R3-S5-EVO, update to version 21.3R3-S5-EVO or later. For Junos OS Evolved versions 21.4 through 21.4R3-S5-EVO, update to version 21.4R3-S5-EVO or later. For Junos OS Evolved versions 22.1 through 22.1R3-S5-EVO, update to version 22.1R3-S5-EVO or later. For Junos OS Evolved versions 22.2 through 22.2R3-S3-EVO, update to version 22.2R3-S3-EVO or later. For Junos OS Evolved versions 22.3 through 22.3R3-S2-EVO, update to version 22.3R3-S2-EVO or later. For Junos OS Evolved versions 22.4 through 22.4R3-EVO, update to version 22.4R3-EVO or later. For Junos OS Evolved versions 23.2 through 23.2R1-S2, update to version 23.2R1-S2 or later. As a temporary workaround, consider disabling NETCONF traceoptions until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

Fix

Incorrect Default Permissions

Weakness Enumeration

CWE-276

Related Identifiers

BDU:2024-03002
CVE-2024-21615

Affected Products

Junos
Junos Evolved