Junos OS Evolved: Missing Auth in SI CF Interface Priv Esc ( v23.2R2-EVO)
CVE-2024-39546 Published on July 11, 2024
Junos OS Evolved: Local low-privilege user can gain root permissions leading to privilege escalation
A Missing Authorization vulnerability in the Socket Intercept (SI) command file interface of Juniper Networks Junos OS Evolved allows an authenticated, low-privilege local attacker to modify certain files, allowing the attacker to cause any command to execute with root privileges leading to privilege escalation ultimately compromising the system.
This issue affects Junos OS Evolved:
* All versions prior to 21.2R3-S8-EVO,
* 21.4 versions prior to 21.4R3-S6-EVO,
* 22.1 versions prior to 22.1R3-S5-EVO,
* 22.2 versions prior to 22.2R3-S3-EVO,
* 22.3 versions prior to 22.3R3-S3-EVO,
* 22.4 versions prior to 22.4R3-EVO,
* 23.2 versions prior to 23.2R2-EVO.
Vulnerability Analysis
CVE-2024-39546 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Initial Publication
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-39546 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-39546
stack.watch emails you whenever new vulnerabilities are published in Juniper Networks Junos Os Evolved or Juniper Networks Junos Evolved. Just hit a watch button to start following.
Affected Versions
Juniper Networks Junos OS Evolved:- Before 21.2R3-S8-EVO is affected.
- Version 21.4 and below 21.4R3-S6-EVO is affected.
- Version 22.1 and below 22.1R3-S5-EVO is affected.
- Version 22.2 and below 22.2R3-S3-EVO is affected.
- Version 22.3 and below 22.3R3-S3-EVO is affected.
- Version 22.4 and below 22.4R3-EVO is affected.
- Version 23.2 and below 23.2R2-EVO is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.