External risk intelligence

Juniper Junos OS HTTP/HTTPS Service Vulnerability Allows File Access and Command Injection.

CVE advisoryKnown Exploit

CVE-2020-1631

A vulnerability in Juniper Junos OS allows unauthorized access to files and commands, potentially granting an attacker administrative access via J-Web. This poses a significant business risk due to potential data exposure and system compromise. Organizations should identify affected devices, disable unnecessary HTTP/HT

5Halo Surface Signal

Path Traversal

Juniper Junos

12.312.3x4814.1x53

External exposure likelihood

Halo Surface Signal score for CVE-2020-1631

This vulnerability affects web-based management interfaces (J-Web) and remote access services (Dynamic VPN) on network infrastructure devices. These services are specifically designed to provide connectivity and administrative access, often exposing endpoints that are intended to be reachable from the network or internet to facilitate remote management and connectivity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The HTTP/HTTPS service in Juniper Junos OS contains a vulnerability that allows unauthorized access to system files and potentially sensitive configuration data. This weakness can enable attackers to read files with general read permissions, including configuration files in newer versions of the operating system. If the J-Web feature is enabled, an attacker could gain the same level of access as an active user, potentially including administrator privileges.

  • Vulnerable Juniper Junos OS HTTP/HTTPS services
  • Local file inclusion or path traversal flaw
  • Unauthorized access to sensitive data

Attack Path

How an attacker could exploit the issue

This vulnerability enables an unauthenticated attacker to gain unauthorized access to systems and data. If the HTTP/HTTPS service is enabled, an attacker can exploit this flaw to read sensitive files, including configuration files, or potentially hijack active J-Web sessions. In instances where an administrator is logged into J-Web, an attacker could gain the same level of access, posing a significant risk to organizational security. This attack can be initiated through network access to the affected devices.

  • Required exposure: HTTP/HTTPS services enabled.
  • Attacker starting point: Network access.
  • Trigger and result: Access to files or sessions.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability exists in Juniper Networks Junos OS devices that could allow an unauthenticated attacker to access sensitive information or execute commands. If the J-Web interface is enabled, an attacker could potentially gain administrative access. While the potential impact is significant, the exploitability varies based on the services enabled on the device. The Cybersecurity and Infrastructure Security Agency (CISA) has identified this vulnerability as actively exploited in the wild.

  • Attacker skill: Low
  • Required access: Network access
  • Business risk: High, treat as urgent

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability may allow an unauthenticated attacker to access sensitive files or execute commands on affected systems. An attacker could gain access to configuration files or, if J-Web is enabled, potentially achieve administrator-level access. This could lead to unauthorized data exposure or system compromise, posing a significant business risk.

  • Identify Juniper Junos OS devices with HTTP/HTTPS services enabled.
  • Disable HTTP/HTTPS services if not actively used.
  • Apply vendor updates and validate the fix.
  • Monitor logs for suspicious activity.

Frequently asked questions

What is the CVE-2020-1631 vulnerability and its weaknesses?

CVE-2020-1631 is a vulnerability in the HTTP/HTTPS service of Juniper Junos OS, affecting features like J-Web and Dynamic-VPN. It allows unauthenticated attackers to perform Local File Inclusion (LFI) and Path Traversal. The primary weaknesses are CWE-22 (Path Traversal) and CWE-73 (Inclusion of Sensitive Information from an Untrusted Source).

How can an attacker exploit CVE-2020-1631 on Juniper devices?

Attackers can exploit this vulnerability by sending specially crafted requests to the HTTP/HTTPS service. This allows them to read files with 'world' readable permissions, including configuration files on affected Junos OS versions. If J-Web is enabled, an attacker can potentially gain the same access as an active J-Web user, which could escalate to administrator-level access if an administrator is logged in.

What is the impact of the CVE-2020-1631 vulnerability?

The impact varies based on enabled services. If only HTTP/HTTPS services are enabled and J-Web is not in use, it can lead to reading world-readable files, with a CVSS score of 5.9. If J-Web is enabled, the impact increases significantly, allowing potential administrator access with a CVSS score of 8.8.

What are the indicators of compromise for CVE-2020-1631?

Indicators of compromise may appear in the /var/log/httpd.log file. Administrators can search for string patterns like "=*;*&" or "*%3b*&" in this log to identify potential command injections or file access attempts.

What are the recommended actions for mitigating CVE-2020-1631?

Juniper Networks recommends upgrading to a fixed release of Junos OS as soon as possible. Until an upgrade can be performed, disabling or limiting HTTP/HTTPS services is advised.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified