cve-2018-0035
Vulnerability from cvelistv5
Published
2018-07-11 18:00
Modified
2024-09-16 18:04
Summary
Junos OS: QFX5200 and QFX10002: Unintended ONIE partition was shipped with certain Junos OS .bin and .iso images
References
Impacted products
Juniper NetworksJunos OS
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:14:16.595Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://kb.juniper.net/JSA10869"
          },
          {
            "name": "1041336",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041336"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "platforms": [
            "QFX5200 and QFX10002"
          ],
          "product": "Junos OS",
          "vendor": "Juniper Networks",
          "versions": [
            {
              "lessThan": "15.1X53-D60",
              "status": "affected",
              "version": "15.1X53",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "Customer can identify whether their device is affected by running the following commands from the Junos OS shell:\n\nAffected System :\n  root@:RE:0% rsh -l root -JU __juniper_private4__ 192.168.1.1                                                                                                                      \n  root@:RE:0~# grub-fstest /dev/sda2 ls /var/tmp /onie/ | grep onie                                                                                                                \n  vmlinuz-3.2.35-onie initrd.img-3.2.35-onie tools/ grub/ grub.d/                                                                                                                         \n  root@:RE:0:~#                                                                                                                                                                     \nNote: the two files, vmlinuz-3.2.35-onie and initrd.img-3.2.35-onie (version may vary) will be present.\n\nNon-affected System:\n  root@:RE:0% rsh -l root -JU __juniper_private4__ 192.168.1.1                                                                                                                                                                                                                                                                                                               \n  root@local-node:~# grub-fstest /dev/sda2 ls /onie/ | grep onie                                                                                                                          \n  root@local-node:~#                                                                                                                                                                      \nNote: no grep output related to ONIE partition."
        }
      ],
      "datePublic": "2018-07-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-27T09:57:01",
        "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
        "shortName": "juniper"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://kb.juniper.net/JSA10869"
        },
        {
          "name": "1041336",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041336"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "In order to resolve this issue (remove the ONIE partition from the device), customer needs to reimage the device using the USB or PXE image from the Juniper download page.\nThe affected Junos image files have been removed from the Juniper download page."
        }
      ],
      "source": {
        "advisory": "JSA10869",
        "defect": [
          "1335427",
          "1335713"
        ],
        "discovery": "INTERNAL"
      },
      "title": "Junos OS: QFX5200 and QFX10002: Unintended ONIE partition was shipped with certain Junos OS .bin and .iso images",
      "workarounds": [
        {
          "lang": "en",
          "value": "There are no known workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to device only from trusted, administrative networks or hosts. Limit CLI access to the device from only trusted hosts and administrators."
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@juniper.net",
          "DATE_PUBLIC": "2018-07-11T16:00:00.000Z",
          "ID": "CVE-2018-0035",
          "STATE": "PUBLIC",
          "TITLE": "Junos OS: QFX5200 and QFX10002: Unintended ONIE partition was shipped with certain Junos OS .bin and .iso images"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Junos OS",
                      "version": {
                        "version_data": [
                          {
                            "affected": "\u003c",
                            "platform": "QFX5200 and QFX10002",
                            "version_affected": "\u003c",
                            "version_name": "15.1X53",
                            "version_value": "15.1X53-D60"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Juniper Networks"
              }
            ]
          }
        },
        "configuration": [
          {
            "lang": "en",
            "value": "Customer can identify whether their device is affected by running the following commands from the Junos OS shell:\n\nAffected System :\n  root@:RE:0% rsh -l root -JU __juniper_private4__ 192.168.1.1                                                                                                                      \n  root@:RE:0~# grub-fstest /dev/sda2 ls /var/tmp /onie/ | grep onie                                                                                                                \n  vmlinuz-3.2.35-onie initrd.img-3.2.35-onie tools/ grub/ grub.d/                                                                                                                         \n  root@:RE:0:~#                                                                                                                                                                     \nNote: the two files, vmlinuz-3.2.35-onie and initrd.img-3.2.35-onie (version may vary) will be present.\n\nNon-affected System:\n  root@:RE:0% rsh -l root -JU __juniper_private4__ 192.168.1.1                                                                                                                                                                                                                                                                                                               \n  root@local-node:~# grub-fstest /dev/sda2 ls /onie/ | grep onie                                                                                                                          \n  root@local-node:~#                                                                                                                                                                      \nNote: no grep output related to ONIE partition."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
          }
        ],
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://kb.juniper.net/JSA10869",
              "refsource": "CONFIRM",
              "url": "https://kb.juniper.net/JSA10869"
            },
            {
              "name": "1041336",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041336"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "In order to resolve this issue (remove the ONIE partition from the device), customer needs to reimage the device using the USB or PXE image from the Juniper download page.\nThe affected Junos image files have been removed from the Juniper download page."
          }
        ],
        "source": {
          "advisory": "JSA10869",
          "defect": [
            "1335427",
            "1335713"
          ],
          "discovery": "INTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "There are no known workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to device only from trusted, administrative networks or hosts. Limit CLI access to the device from only trusted hosts and administrators."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968",
    "assignerShortName": "juniper",
    "cveId": "CVE-2018-0035",
    "datePublished": "2018-07-11T18:00:00Z",
    "dateReserved": "2017-11-16T00:00:00",
    "dateUpdated": "2024-09-16T18:04:11.452Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-0035\",\"sourceIdentifier\":\"sirt@juniper.net\",\"published\":\"2018-07-11T18:29:00.683\",\"lastModified\":\"2019-10-09T23:31:03.363\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"QFX5200 and QFX10002 devices that have been shipped with Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 and 15.1X53-D60 or have been upgraded to these releases using the .bin or .iso images may contain an unintended additional Open Network Install Environment (ONIE) partition. This additional partition allows the superuser to reboot to the ONIE partition which will wipe out the content of the Junos partition and its configuration. Once rebooted, the ONIE partition will not have root password configured, thus any user can access the console or SSH, using an IP address acquired from DHCP, as root without password. Once the device has been shipped or upgraded with the ONIE partition installed, the issue will persist. Simply upgrading to higher release via the CLI will not resolve the issue. No other Juniper Networks products or platforms are affected by this issue.\"},{\"lang\":\"es\",\"value\":\"Los dispositivos QFX5200 y QFX10002 que se han distribuido con Junos OS 15.1X53-D21, 15.1X53-D30, 15.1X53-D31, 15.1X53-D32, 15.1X53-D33 y 15.1X53-D60 o que han sido actualizados a estas versiones mediante las im\u00e1genes .bin o .iso podr\u00edan contener una partici\u00f3n ONIE (Open Network Install Environment) adicional no planeada. Esta partici\u00f3n adicional permite que el superusuario reinicie en la partici\u00f3n ONIE, lo que eliminar\u00e1 el contenido de la partici\u00f3n Junos y su configuraci\u00f3n. Una vez reiniciada, la partici\u00f3n ONIE no tendr\u00e1 contrase\u00f1a root configurada, por lo que cualquier usuario podr\u00eda acceder como root a la consola a la consola o SSH mediante una direcci\u00f3n IP adquirida desde DHCP. Una vez el dispositivo ha sido distribuido o actualizado con la partici\u00f3n ONIE instalada, el problema persistir\u00e1. La simple actualizaci\u00f3n a una versi\u00f3n superior mediante la interfaz de l\u00ednea de comandos no resolver\u00e1 este problema. No hay ning\u00fan otro producto o plataforma de Juniper Networks que se vea afectado por este problema.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9},{\"source\":\"sirt@juniper.net\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":4.4,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":0.8,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":10.0},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d21:*:*:*:*:*:*\",\"matchCriteriaId\":\"83FEEE8F-9279-46F2-BAF9-A60537020C61\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d30:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F294E43-73FA-4EF3-90F2-EE29C56D6573\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d31:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F3ED4F6-483F-41DC-BBCF-3605641ACAD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d32:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDDE1048-BFEA-4A3E-8270-27C538A68837\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d33:*:*:*:*:*:*\",\"matchCriteriaId\":\"CC517CD0-FF35-498F-AD33-683B43CA3829\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:juniper:junos:15.1x53:d60:*:*:*:*:*:*\",\"matchCriteriaId\":\"962CCED8-E321-4878-9BE6-0DC33778559A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:juniper:qfx10002:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1401145-D8EC-4DB9-9CDE-9DE6C0D000C5\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:juniper:qfx5200:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EDC5478F-A047-4F6D-BB11-0077A74C0174\"}]}]}],\"references\":[{\"url\":\"http://www.securitytracker.com/id/1041336\",\"source\":\"sirt@juniper.net\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://kb.juniper.net/JSA10869\",\"source\":\"sirt@juniper.net\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.