CVE-2020-1631 is a vulnerability in Juniper Networks Junos
Published on May 4, 2020
A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with 'world' readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user 'nobody', the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with 'world' readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd --config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns "=*;*&" or "*%3b*&" in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match "=*;*&|=*%3b*&" If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match "=*;*&|=*%3b*&" user@device> show log httpd.log.1.gz | match "=*;*&|=*%3b*&" Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.
Known Exploited Vulnerability
This Juniper Junos OS Path Traversal Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. A path traversal vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform remote code execution.
The following remediation steps are recommended / required by April 15, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2020-1631 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2020-1631 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2020-1631
You can be notified by stack.watch whenever vulnerabilities like CVE-2020-1631 are published in these products:
What versions of Junos are vulnerable to CVE-2020-1631?
- Juniper Networks Junos Version 15.1x49 d50
- Juniper Networks Junos Version 15.1x49 d30
- Juniper Networks Junos Version 15.1 r7
- Juniper Networks Junos Version 12.3 r11
- Juniper Networks Junos Version 15.1x49 d70
- Juniper Networks Junos Version 15.1 f1
- Juniper Networks Junos Version 15.1x49 d80
- Juniper Networks Junos Version 14.1x53 d45
- Juniper Networks Junos Version 15.1 f6-s4
- Juniper Networks Junos Version 14.1x53 d15
- Juniper Networks Junos Version 12.3x48 d10
- Juniper Networks Junos Version 15.1x49 d110
- Juniper Networks Junos Version 15.1 f2-s3
- Juniper Networks Junos Version 15.1 f7
- Juniper Networks Junos Version 15.1x49 d60
- Juniper Networks Junos Version 14.1x53 d35
- Juniper Networks Junos Version 14.1x53 d10
- Juniper Networks Junos Version 16.1 r1
- Juniper Networks Junos Version 14.1x53 d40
- Juniper Networks Junos Version 15.1 r3
- Juniper Networks Junos Version 14.1x53 d30
- Juniper Networks Junos Version 12.3x48 d15
- Juniper Networks Junos Version 14.1x53 d42
- Juniper Networks Junos Version 15.1 f2-s2
- Juniper Networks Junos Version 12.3 r1
- Juniper Networks Junos Version 15.1 r6
- Juniper Networks Junos Version 15.1 f4
- Juniper Networks Junos Version 15.1 r4
- Juniper Networks Junos Version 15.1 f2-s4
- Juniper Networks Junos Version 12.3x48 d35
- Juniper Networks Junos Version 14.1x53 d25
- Juniper Networks Junos Version 12.3x48 d50
- Juniper Networks Junos Version 15.1 f5-s7
- Juniper Networks Junos Version 15.1 f6-s7
- Juniper Networks Junos Version 15.1 f6
- Juniper Networks Junos Version 15.1x49 d100
- Juniper Networks Junos Version 12.3 r12
- Juniper Networks Junos Version 15.1 f2
- Juniper Networks Junos Version 14.1x53 d27
- Juniper Networks Junos Version 12.3x48 d30
- Juniper Networks Junos Version 15.1x49 d35
- Juniper Networks Junos Version 15.1 a1
- Juniper Networks Junos Version 17.2 r1
- Juniper Networks Junos Version 16.1 r4-s4
- Juniper Networks Junos Version 15.1 f3
- Juniper Networks Junos Version 15.1 r2
- Juniper Networks Junos Version 14.1x53 d16
- Juniper Networks Junos Version 16.1 r4
- Juniper Networks Junos Version 15.1 r4-s7
- Juniper Networks Junos Version 15.1x49 d45
- Juniper Networks Junos Version 12.3 r10
- Juniper Networks Junos Version 15.1 r4-s8
- Juniper Networks Junos Version 16.1 r4-s3
- Juniper Networks Junos Version 15.1x49 d75
- Juniper Networks Junos Version 15.1x49 d65
- Juniper Networks Junos Version 15.1 r5-s5
- Juniper Networks Junos Version 15.1x49 d90
- Juniper Networks Junos Version 14.1x53 d43
- Juniper Networks Junos Version 15.1 r6-s1
- Juniper Networks Junos Version 12.3x48 d25
- Juniper Networks Junos Version 14.1x53 d44
- Juniper Networks Junos Version 12.3x48 d45
- Juniper Networks Junos Version 15.1 r5
- Juniper Networks Junos Version 12.3x48 d55
- Juniper Networks Junos Version 15.1 r1
- Juniper Networks Junos Version 15.1x49 d40
- Juniper Networks Junos Version 15.1 f2-s1
- Juniper Networks Junos Version 15.1 r5-s1
- Juniper Networks Junos Version 17.2 r2
- Juniper Networks Junos Version 15.1 f5
- Juniper Networks Junos Version 12.3x48 d20
- Juniper Networks Junos Version 16.1 r3
- Juniper Networks Junos Version 15.1x49 d20
- Juniper Networks Junos Version 16.1 r5
- Juniper Networks Junos Version 15.1x49 d10
- Juniper Networks Junos Version 14.1x53 d26
- Juniper Networks Junos Version 15.1x49 d55
- Juniper Networks Junos Version 15.1x49 d15
- Juniper Networks Junos Version 12.3x48 d40
- Juniper Networks Junos Version 16.1 r2
- Juniper Networks Junos Version 14.1x53 d50
- Juniper Networks Junos Version 15.1 r5-s6
- Juniper Networks Junos Version 15.1 r6-s2
- Juniper Networks Junos Version 17.2 r1-s2
- Juniper Networks Junos Version 15.1x49 d25
- Juniper Networks Junos Version 12.3x48 d60
- Juniper Networks Junos Version 12.3x48 d65
- Juniper Networks Junos Version 14.1x53 d46
- Juniper Networks Junos Version 15.1x49 d120
- Juniper Networks Junos Version 15.1x49 d130
- Juniper Networks Junos Version 15.1 r4-s9
- Juniper Networks Junos Version 15.1 r6-s6
- Juniper Networks Junos Version 16.1 r5-s4
- Juniper Networks Junos Version 16.1 r6-s1
- Juniper Networks Junos Version 16.1 r7
- Juniper Networks Junos Version 17.3 r2
- Juniper Networks Junos Version 17.4 r1
- Juniper Networks Junos Version 17.4 r2
- Juniper Networks Junos Version 15.1 f
- Juniper Networks Junos Version 12.3x48 d70
- Juniper Networks Junos Version 15.1x49 d140
- Juniper Networks Junos Version 17.3 r2-s2
- Juniper Networks Junos Version 15.1 f6-s3
- Juniper Networks Junos Version 14.1x53 d47
- Juniper Networks Junos Version 14.1x53 d48
- Juniper Networks Junos Version 18.1 r3
- Juniper Networks Junos Version 15.1 r7-s1
- Juniper Networks Junos Version 17.2 r2-s6
- Juniper Networks Junos Version 12.3x48 d75
- Juniper Networks Junos Version 15.1x49 d160
- Juniper Networks Junos Version 16.1 r6-s6
- Juniper Networks Junos Version 18.1 r2
- Juniper Networks Junos Version 16.1 r3-s10
- Juniper Networks Junos Version 17.2 r1-s7
- Juniper Networks Junos Version 15.1 r7-s2
- Juniper Networks Junos Version 15.1 r7-s3
- Juniper Networks Junos Version 12.3x48 d51
- Juniper Networks Junos Version 17.4 r2-s2
- Juniper Networks Junos Version 17.2 r1-s1
- Juniper Networks Junos Version 17.2 r1-s3
- Juniper Networks Junos Version 17.2 r1-s5
- Juniper Networks Junos Version 17.4 r1-s1
- Juniper Networks Junos Version 12.3x48 d80
- Juniper Networks Junos Version 15.1x49 d150
- Juniper Networks Junos Version 18.2 -
- Juniper Networks Junos Version 18.2 r2-s1
- Juniper Networks Junos Version 18.2 r2-s2
- Juniper Networks Junos Version 18.2 r1-s3
- Juniper Networks Junos Version 18.3 r1-s1
- Juniper Networks Junos Version 17.2 r1-s4
- Juniper Networks Junos Version 17.3 r3-s1
- Juniper Networks Junos Version 17.3 r3-s2
- Juniper Networks Junos Version 17.4 r1-s2
- Juniper Networks Junos Version 17.3 r2-s1
- Juniper Networks Junos Version 18.3 r2
- Juniper Networks Junos Version 18.3 r1
- Juniper Networks Junos Version 17.4 r3
- Juniper Networks Junos Version 17.4 r2-s1
- Juniper Networks Junos Version 18.1 r2-s2
- Juniper Networks Junos Version 15.1 f6-s2
- Juniper Networks Junos Version 15.1 f6-s1
- Juniper Networks Junos Version 18.4 r1
- Juniper Networks Junos Version 17.4 -
- Juniper Networks Junos Version 18.1 r3-s4
- Juniper Networks Junos Version 18.1 r3-s3
- Juniper Networks Junos Version 18.1 r3-s2
- Juniper Networks Junos Version 18.1 -
- Juniper Networks Junos Version 18.1 r2-s1
- Juniper Networks Junos Version 18.1 r2-s4
- Juniper Networks Junos Version 15.1 -
- Juniper Networks Junos Version 16.1 -
- Juniper Networks Junos Version 17.2 -
- Juniper Networks Junos Version 17.3 -
- Juniper Networks Junos Version 12.3 r12-s8
- Juniper Networks Junos Version 12.3x48 -
- Juniper Networks Junos Version 14.1x53 -
- Juniper Networks Junos Version 15.1x49 -
- Juniper Networks Junos Version 18.3 r1-s2
- Juniper Networks Junos Version 18.3 -
- Juniper Networks Junos Version 18.4 -
- Juniper Networks Junos Version 17.4 r1-s5
- Juniper Networks Junos Version 18.1 r3-s1
- Juniper Networks Junos Version 17.3 r3 -
- Juniper Networks Junos Version 17.3 r3-s3
- Juniper Networks Junos Version 17.4 r1-s7
- Juniper Networks Junos Version 12.3 -
- Juniper Networks Junos Version 16.1 r3-s11
- Juniper Networks Junos Version 17.4 r1-s4
- Juniper Networks Junos Version 18.4 r1-s1
- Juniper Networks Junos Version 15.1x49 d180
- Juniper Networks Junos Version 15.1x49 d170
- Juniper Networks Junos Version 17.3 r3-s4
- Juniper Networks Junos Version 17.4 r2-s3
- Juniper Networks Junos Version 17.4 r2-s4
- Juniper Networks Junos Version 17.4 r1-s6
- Juniper Networks Junos Version 18.3 r1-s3
- Juniper Networks Junos Version 17.2 r2-s7
- Juniper Networks Junos Version 18.2 r2-s3
- Juniper Networks Junos Version 18.2 r2-s4
- Juniper Networks Junos Version 14.1x53 d49
- Juniper Networks Junos Version 17.2 r3-s1
- Juniper Networks Junos Version 18.2 r1-s5
- Juniper Networks Junos Version 17.2 r1-s8
- Juniper Networks Junos Version 12.3x48 d85
- Juniper Networks Junos Version 18.4 r1-s3
- Juniper Networks Junos Version 18.4 r1-s4
- Juniper Networks Junos Version 18.4 r1-s2
- Juniper Networks Junos Version 19.1 r1
- Juniper Networks Junos Version 19.1 -
- Juniper Networks Junos Version 17.3 r2-s3
- Juniper Networks Junos Version 16.1 r7-s3
- Juniper Networks Junos Version 16.1 r7-s4
- Juniper Networks Junos Version 17.2 r3-s2
- Juniper Networks Junos Version 17.4 r2-s5
- Juniper Networks Junos Version 17.4 r2-s6
- Juniper Networks Junos Version 17.4 r2-s7
- Juniper Networks Junos Version 19.2 r1
- Juniper Networks Junos Version 18.4 r2
- Juniper Networks Junos Version 18.2 r3
- Juniper Networks Junos Version 18.1 r3-s6
- Juniper Networks Junos Version 18.1 r3-s7
- Juniper Networks Junos Version 19.1 r1-s1
- Juniper Networks Junos Version 19.1 r1-s3
- Juniper Networks Junos Version 19.1 r1-s2
- Juniper Networks Junos Version 12.3 r12-s13
- Juniper Networks Junos Version 12.3 r12-s14
- Juniper Networks Junos Version 15.1 r7-s4
- Juniper Networks Junos Version 17.3 r1-s1
- Juniper Networks Junos Version 15.1 r7-s5
- Juniper Networks Junos Version 16.1 r7-s2
- Juniper Networks Junos Version 18.2 r2-s5
- Juniper Networks Junos Version 18.2 r2-s6
- Juniper Networks Junos Version 18.4 r1-s5
- Juniper Networks Junos Version 15.1 f6-s12
- Juniper Networks Junos Version 19.2 r1-s1
- Juniper Networks Junos Version 19.2 r1-s2
- Juniper Networks Junos Version 18.3 r1-s5
- Juniper Networks Junos Version 18.2 r3-s1
- Juniper Networks Junos Version 15.1x49 d190
- Juniper Networks Junos Version 16.1 r7-s5
- Juniper Networks Junos Version 12.3 r12-s1
- Juniper Networks Junos Version 12.3 r12-s3
- Juniper Networks Junos Version 12.3 r12-s4
- Juniper Networks Junos Version 12.3 r12-s6
- Juniper Networks Junos Version 12.3 r12-s11
- Juniper Networks Junos Version 12.3 r12-s12
- Juniper Networks Junos Version 16.1 r4-s12
- Juniper Networks Junos Version 16.1 r4-s6
- Juniper Networks Junos Version 16.1 r4-s2
- Juniper Networks Junos Version 17.3 r2-s4
- Juniper Networks Junos Version 14.1x53 d51
- Juniper Networks Junos Version 18.3 r2-s1
- Juniper Networks Junos Version 18.3 r2-s2
- Juniper Networks Junos Version 17.4 r2-s8
- Juniper Networks Junos Version 12.3 r10-s1
- Juniper Networks Junos Version 12.3 r10-s2
- Juniper Networks Junos Version 18.4 r2-s1
- Juniper Networks Junos Version 17.2 r2-s11
- Juniper Networks Junos Version 19.3 -
- Juniper Networks Junos Version 19.3 r1
- Juniper Networks Junos Version 19.2 -
- Juniper Networks Junos Version 18.4 r2-s2
- Juniper Networks Junos Version 18.3 r1-s6
- Juniper Networks Junos Version 18.2 r3-s2
- Juniper Networks Junos Version 18.1 r3-s8
- Juniper Networks Junos Version 14.1x53 d52
- Juniper Networks Junos Version 19.2 r1-s3
- Juniper Networks Junos Version 18.3 r3
- Juniper Networks Junos Version 16.1 r7-s6
- Juniper Networks Junos Version 19.4 r1
- Juniper Networks Junos Version 19.3 r2
- Juniper Networks Junos Version 18.4 r3
- Juniper Networks Junos Version 18.4 r2-s3
- Juniper Networks Junos Version 18.3 r3-s1
- Juniper Networks Junos Version 18.1 r3-s9
- Juniper Networks Junos Version 17.3 r3-s7
- Juniper Networks Junos Version 15.1x49 d200
- Juniper Networks Junos Version 19.3 r2-s1
- Juniper Networks Junos Version 19.3 r1-s1
- Juniper Networks Junos Version 20.1 r1
- Juniper Networks Junos Version 19.4 r1-s1
- Juniper Networks Junos Version 19.3 r2-s2
- Juniper Networks Junos Version 19.1 r1-s4
- Juniper Networks Junos Version 18.4 r1-s6
- Juniper Networks Junos Version 18.3 r2-s3
- Juniper Networks Junos Version 18.2 r3-s3
- Juniper Networks Junos Version 17.4 r3-s1
- Juniper Networks Junos Version 17.4 r2-s9
- Juniper Networks Junos Version 17.4 r2-s10
- Juniper Networks Junos Version 17.2 r3-s3
- Juniper Networks Junos Version 16.1 r7-s7
- Juniper Networks Junos Version 15.1x49 d210
- Juniper Networks Junos Version 14.1x53 d53
- Juniper Networks Junos Version 12.3x48 d95
- Juniper Networks Junos Version 12.3x48 d90
- Juniper Networks Junos Version 12.3x48 d100
- Juniper Networks Junos Version 12.3 r12-s15