ID CVE-2014-6379 Type cve Reporter cve@mitre.org Modified 2017-09-08T01:29:00
Description
Juniper Junos 11.4 before R12, 12.1 before R10, 12.1X44 before D35, 12.1X45 before D25, 12.1X46 before D20, 12.1X47 before D10, 12.2 before R8, 12.2X50 before D70, 12.3 before R6, 13.1 before R4-S3, 13.1X49 before D55, 13.1X50 before D30, 13.2 before R4, 13.2X50 before D20, 13.2X51 before D26 and D30, 13.2X52 before D15, 13.3 before R2, and 14.1 before R1, when a RADIUS accounting server is configured as [system accounting destination radius], creates an entry in /var/etc/pam_radius.conf, which might allow remote attackers to bypass authentication via unspecified vectors.
{"nessus": [{"lastseen": "2019-02-21T01:22:33", "bulletinFamily": "scanner", "description": "According to its self-reported version number, the remote Juniper Junos device is affected by a security bypass vulnerability. This issue is caused by RADIUS accounting servers being used for authentication requests. An authenticated attacker can exploit this to bypass authentication.", "modified": "2018-07-12T00:00:00", "id": "JUNIPER_JSA10654.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=78425", "published": "2014-10-14T00:00:00", "title": "Juniper Junos RADIUS Security Bypass (JSA10654)", "type": "nessus", "sourceData": "#TRUSTED afc2cce6904c72c241fbfed3496dc11d31643d83c8835dcb3e891ae35f1457608d1f75ebd25a82315f0d45c9ce390d9ecfe49724db114405c07fe485f4241b06259046ec80d636956382ad8855d6315efab362f2dd00e6f5ec222e357745384f02d78d77d3d83fb8cb97719291f68aa08620c93f2cb39602f53697d5c1cc90558213c0d88fba41e76c2daf67a352846dbf2c4f0d2170d9d8a3a712f6815d469721e2728078c8a3c98141c3e046fb049bf0052942e1ea0fe0cc6d9ad98b5c9f534570e98dcc9a3958cfb580ea37cc16d4c16c9edbfde4c74fe7aaf7d65368c5ee314a49530819392b245b297251d16b4498a43424ed86a986b12b4180acff08f919823e4cc3726de2ddcd52107574cdb92c9edc055a31f60c5499094698b7683c2a23beb825ddcd90bbf2e49cef94bbc48295ee4e322231ed22449ffb658c1f8e00d5f8b7f762c3fcee4a589aefe44ea22ecbd883ee4207e6507f0647a7516b55540f72151114d157e95e5f145bc3d49557d16b8f5a606ae5306bb44ea6c7aa6761fff08ff0cd9f46b3c9307a94b37e9acf0487bc38ebf3e3c6b33007be56a108eaa22e5656037b386de3785cdf2c96cf1c0955556ee8cd41583b85daf355cba956f2c06fcfc54be8ecc3462b67a58b4a2a28a42584b5dd0758a5ca874e53449e35ef85fb9f36e09ef84e1a090829aa37cb627be0ee9cc5175edb5c85d265c7c5\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(78425);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/12\");\n\n script_cve_id(\"CVE-2014-6379\");\n script_bugtraq_id(70365);\n script_xref(name:\"JSA\", value:\"JSA10654\");\n\n script_name(english:\"Juniper Junos RADIUS Security Bypass (JSA10654)\");\n script_summary(english:\"Checks the Junos version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Juniper\nJunos device is affected by a security bypass vulnerability. This\nissue is caused by RADIUS accounting servers being used for\nauthentication requests. An authenticated attacker can exploit this to\nbypass authentication.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10654\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant Junos software release or workaround referenced in\nJuniper advisory JSA10654.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/03/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/JUNOS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos_kb_cmd_func.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\n\nfixes = make_array();\nfixes['11.4'] = '11.4R12';\nfixes['12.1'] = '12.1R10';\nfixes['12.1X44'] = '12.1X44-D35';\nfixes['12.1X45'] = '12.1X45-D25';\nfixes['12.1X46'] = '12.1X46-D20';\nfixes['12.1X47'] = '12.1X47-D10';\nfixes['12.2'] = '12.2R8';\nfixes['12.2X50'] = '12.2X50-D70';\nfixes['12.3'] = '12.3R6';\nfixes['13.1'] = '13.1R4-S3';\nfixes['13.1X49'] = '13.1X49-D55';\nfixes['13.1X50'] = '13.1X50-D30';\nfixes['13.2'] = '13.2R4';\nfixes['13.2X50'] = '13.2X50-D20';\nfixes['13.2X51'] = '13.2X51-D26';\nfixes['13.2X52'] = '13.2X52-D15';\nfixes['13.3'] = '13.3R2';\nfixes['14.1'] = '14.1R1';\n\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\nif (fix == '13.2X51-D26')\n fix = '13.2X51-D26 or 13.2X51-D30';\n\n# Check that a RADIUS server is configured\noverride = TRUE;\nbuf = junos_command_kb_item(cmd:\"show configuration | display set\");\nif (buf)\n{\n pattern = \"^set system radius-server \";\n if (!junos_check_config(buf:buf, pattern:pattern))\n audit(AUDIT_HOST_NOT, 'affected because RADIUS is not configured');\n override = FALSE;\n}\n\njunos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-05-29T18:37:25", "bulletinFamily": "scanner", "description": "JunOS is prone to a security bypass vulnerability", "modified": "2018-10-25T00:00:00", "published": "2014-11-20T00:00:00", "id": "OPENVAS:1361412562310105928", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105928", "title": "Junos RADIUS Uninteded Authentication Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_junos_cve-2014-6379.nasl 12095 2018-10-25 12:00:24Z cfischer $\n#\n# Junos RADIUS Uninteded Authentication Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2014 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105928\");\n script_cve_id(\"CVE-2014-6379\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_version(\"$Revision: 12095 $\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Junos RADIUS Uninteded Authentication Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10654\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/70365\");\n\n script_tag(name:\"summary\", value:\"JunOS is prone to a security bypass vulnerability\");\n\n script_tag(name:\"impact\", value:\"The vulnerability can cause authentication requests\nto be sent to the RADIUS authentication server which may allow for unintended successful\nauthentication.\");\n\n script_tag(name:\"insight\", value:\"When a RADIUS authentication server is configured under\n[system radius-server], an entry is created in /var/etc/pam_radius.conf. An issue was discovered\nwhere RADIUS accounting servers configured under [system accounting destination radius] are also\npropagated to pam_radius.conf.\nIf the same RADIUS server is used for both authentication and accounting - a common configuration -\nthe issue is less severe since RADIUS authentication is sent to the intended server despite the\nduplicate entries. However, if the RADIUS authentication server is later removed from the configuration,\nthe duplicate entry created by configuration of the RADIUS accounting server will remain in pam_radius.conf,\nalso leading to possible unintended authentication success.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n script_tag(name:\"affected\", value:\"Junos OS 11.4, 12.1, 12.2, 12.3, 13.1, 13.2 and 13.3\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 14:00:24 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-11-20 11:16:44 +0700 (Thu, 20 Nov 2014)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2014 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (revcomp(a:version, b:\"11.4R12\") < 0) {\n security_message(port:0, data:version);\n exit(0);\n}\n\nif (version =~ \"^12\") {\n if (revcomp(a:version, b:\"12.1R10\") < 0) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X44-D35\") < 0) &&\n (revcomp(a:version, b:\"12.1X44\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X45-D25\") < 0) &&\n (revcomp(a:version, b:\"12.1X45\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X46-D20\") < 0) &&\n (revcomp(a:version, b:\"12.1X46\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X47-D10\") < 0) &&\n (revcomp(a:version, b:\"12.1X47\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.2R8\") < 0) &&\n (revcomp(a:version, b:\"12.2\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.2X50-D70\") < 0) &&\n (revcomp(a:version, b:\"12.2X50\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.3R6\") < 0) &&\n (revcomp(a:version, b:\"12.3\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n}\n\nif (version =~ \"^13\") {\n if (revcomp(a:version, b:\"13.1R4-S3\") < 0) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.1X49-D55\") < 0) &&\n (revcomp(a:version, b:\"13.1X49\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.1X50-D30\") < 0) &&\n (revcomp(a:version, b:\"13.1X50\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.2R4\") < 0) &&\n (revcomp(a:version, b:\"13.2\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.2X50-D20\") < 0) &&\n (revcomp(a:version, b:\"13.2X50\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.2X51-D26\") < 0) &&\n (revcomp(a:version, b:\"13.2X51\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.2X52-D15\") < 0) &&\n (revcomp(a:version, b:\"13.2X52\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"13.3R2\") < 0) &&\n (revcomp(a:version, b:\"13.3\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
