CVE-2020-1614

A Use of Hard-coded Credentials vulnerability exists in the NFX250 Series for the vSRX Virtual Network Function (VNF) instance, which allows an attacker to take control of the vSRX VNF instance if they have the ability to access an administrative service (e.g. SSH) on the VNF, either locally, or through the network. This issue only affects the NFX250 Series vSRX VNF. No other products or platforms are affected. This issue is only applicable to environments where the vSRX VNF root password has not been configured. This issue affects the Juniper Networks NFX250 Network Services Platform vSRX VNF instance on versions prior to 19.2R1.

CVSS v3 10.0 CRITICAL
CVSS v2.0 9.3 HIGH

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

9.3^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://kb.juniper.net/JSA10997	Vendor Advisory
https://www.juniper.net/documentation/en_US/release-independent/junos/topics/task/configuration/nfx250-configure-vsrx-internal-ip.html	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:juniper:junos::::::::
	cpe:2.3:o:juniper:junos:19.2:r1-s1::::::
	cpe:2.3:o:juniper:junos:19.2:r1-s2::::::
	cpe:2.3:o:juniper:junos:19.2:r1-s3::::::
	cpe:2.3:o:juniper:junos:19.2:r1-s4::::::

cpe:2.3:h:juniper:nfx250:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-04-08 20:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-1614

Mitre link : CVE-2020-1614

CVE.ORG link : CVE-2020-1614

JSON object : View

Products Affected

juniper

junos
nfx250

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2020-1614", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}]}, "published": "2020-04-08T20:15:13.120", "references": [{"url": "https://kb.juniper.net/JSA10997", "tags": ["Vendor Advisory"], "source": "sirt@juniper.net"}, {"url": "https://www.juniper.net/documentation/en_US/release-independent/junos/topics/task/configuration/nfx250-configure-vsrx-internal-ip.html", "tags": ["Vendor Advisory"], "source": "sirt@juniper.net"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-798"}]}, {"type": "Secondary", "source": "sirt@juniper.net", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "A Use of Hard-coded Credentials vulnerability exists in the NFX250 Series for the vSRX Virtual Network Function (VNF) instance, which allows an attacker to take control of the vSRX VNF instance if they have the ability to access an administrative service (e.g. SSH) on the VNF, either locally, or through the network. This issue only affects the NFX250 Series vSRX VNF. No other products or platforms are affected. This issue is only applicable to environments where the vSRX VNF root password has not been configured. This issue affects the Juniper Networks NFX250 Network Services Platform vSRX VNF instance on versions prior to 19.2R1."}, {"lang": "es", "value": "Se presenta una vulnerabilidad de Uso de Credenciales Embebidas en la NFX250 Series para la instancia vSRX Virtual Network Function (VNF), que permite a un atacante tomar el control de la instancia vSRX VNF si posee la capacidad de acceder a un servicio administrativo (por ejemplo, SSH) en la VNF, localmente o por medio de la red. Este problema solo afecta a la vSRX VNF de NFX250 Series. Ning\u00fan otro producto o plataforma est\u00e1 afectado. Este problema es solo aplicable a entornos donde la contrase\u00f1a root vSRX VNF no ha sido configurada. Este problema afecta a la instancia vSRX VNF de Juniper Networks NFX250 Network Services Platform en versiones anteriores a 19.2R1."}], "lastModified": "2020-07-29T19:40:48.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "666B9482-B9DD-4373-8CC3-06A55B06FE5B", "versionEndExcluding": "19.2"}, {"criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A5B337A-727C-4767-AD7B-E0F7F99EB46F"}, {"criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16FDE60B-7A99-4683-BC14-530B5B005F8B"}, {"criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725D8C27-E4F8-4394-B4EC-B49B6D3C2709"}, {"criteria": "cpe:2.3:o:juniper:junos:19.2:r1-s4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8233C3AB-470E-4D13-9BFD-C9E90918FD0B"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:juniper:nfx250:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7EB08A27-7777-4538-ADC4-9D2F89963C13"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "sirt@juniper.net"}