CVE-2018-0035

QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue.

CVSS v3 9.8 CRITICAL
CVSS v2.0 10.0 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

10.0^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 10.0 / Impact : 10.0

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securitytracker.com/id/1041336	Third Party Advisory VDB Entry
https://kb.juniper.net/JSA10869	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:juniper:junos:15.1x53:d21::::::
	cpe:2.3:o:juniper:junos:15.1x53:d30::::::
	cpe:2.3:o:juniper:junos:15.1x53:d31::::::
	cpe:2.3:o:juniper:junos:15.1x53:d32::::::
	cpe:2.3:o:juniper:junos:15.1x53:d33::::::
	cpe:2.3:o:juniper:junos:15.1x53:d60::::::

OR	cpe:2.3:h:juniper:qfx10002:-:::::::*
	cpe:2.3:h:juniper:qfx5200:-:::::::*

History

No history.

Information

Published : 2018-07-11 18:29

Updated : 2023-12-10 12:44

NVD link : CVE-2018-0035

Mitre link : CVE-2018-0035

CVE.ORG link : CVE-2018-0035

JSON object : View

Products Affected

juniper

qfx5200
qfx10002
junos

CWE

NVD-CWE-noinfo

{"id": "CVE-2018-0035", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.8}]}, "published": "2018-07-11T18:29:00.683", "references": [{"url": "http://www.securitytracker.com/id/1041336", "tags": ["Third Party Advisory", "VDB Entry"], "source": "sirt@juniper.net"}, {"url": "https://kb.juniper.net/JSA10869", "tags": ["Vendor Advisory"], "source": "sirt@juniper.net"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue."}, {"lang": "es", "value": "Los dispositivos QFX5200 y QFX10002 que se han distribuido con Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 y 15.1X53-D60 o que han sido actualizados a estas versiones mediante las im\u00e1genes .bin o .iso podr\u00edan contener una partici\u00f3n ONIE (Open Network Install Environment) adicional no planeada. Esta partici\u00f3n adicional permite que el superusuario reinicie en la partici\u00f3n ONIE, lo que eliminar\u00e1 el contenido de la partici\u00f3n Junos y su configuraci\u00f3n. Una vez reiniciada, la partici\u00f3n ONIE no tendr\u00e1 contrase\u00f1a root configurada, por lo que cualquier usuario podr\u00eda acceder como root a la consola a la consola o SSH mediante una direcci\u00f3n IP adquirida desde DHCP. Una vez el dispositivo ha sido distribuido o actualizado con la partici\u00f3n ONIE instalada, el problema persistir\u00e1. La simple actualizaci\u00f3n a una versi\u00f3n superior mediante la interfaz de l\u00ednea de comandos no resolver\u00e1 este problema. No hay ning\u00fan otro producto o plataforma de Juniper Networks que se vea afectado por este problema."}], "lastModified": "2019-10-09T23:31:03.363", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83FEEE8F-9279-46F2-BAF9-A60537020C61"}, {"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1F294E43-73FA-4EF3-90F2-EE29C56D6573"}, {"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d31:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6F3ED4F6-483F-41DC-BBCF-3605641ACAD4"}, {"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EDDE1048-BFEA-4A3E-8270-27C538A68837"}, {"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC517CD0-FF35-498F-AD33-683B43CA3829"}, {"criteria": "cpe:2.3:o:juniper:junos:15.1x53:d60:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "962CCED8-E321-4878-9BE6-0DC33778559A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:juniper:qfx10002:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F1401145-D8EC-4DB9-9CDE-9DE6C0D000C5"}, {"criteria": "cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EDC5478F-A047-4F6D-BB11-0077A74C0174"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "sirt@juniper.net"}