Search...

Juniper Junos SRX Series 'set system ports console insecure' Local Privilege Escalation (JSA10683)

2015-08-04T00:00:00

ID JUNIPER_JSA10683.NASL
Type nessus
Reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
Modified 2015-08-04T00:00:00

Description

According to its self-reported version number, the remote Juniper Junos SRX Series device is affected by a privilege escalation vulnerability related to the 'set system ports console insecure' feature. A local attacker can exploit this vulnerability by using access to a console port to gain full administrative privileges.

                                        
                                            #TRUSTED 577a0137b0619966928c4e53afdcf4b38d56af611b9008f7dd84b7dbe29343b0e3a9e6e6978744b91d46519ac03050777335c88203b262a127e26ab8f01f945378c3c627503e2a2d3b42c618625bdde700a41b4fef316bf64f3315d710127a8e19866ba82821b6ee062377173d30b57179515a5b2f4cf3d82643fbcf5ae908f601291898ab047683b7b1f4dd75e554870b9b9557b1249a35b710e9f174c3dac720c21767f6e4406621652bf2ba0c3f9338c6e4f820969f22ad50b230a47fe6759fd5c939fd91c57020a73d38a873e0fb3828295abe4547a170f3d6a4a1080c2694c08e8be04d21b8088942dea8054627c3fde5e29ff5198ec74e102060af36e9cc0750d24faa53192cc7d1c43251b81f823fe14fa4955fdf9e49ec6e9d3fa8965604d5287a9aa12d5de53bb1402066a5201c3f4114f3260cebbab6e2b8e65b6e860f7f7c2f0924d3aa5fc3566cbec6118d1a6e2f50ebac12e57855ac692c307d5b162e95fd5ab7c2919fdcb1e8d6ea70bc1bcbcc68d4abd434079c3c66c0a0df144224ab826b412c1d83eb350b66472050772bbe16b0fafc073161a0df12c876b10fe725368ecc76bdb466f2c21a989ae93549eaa38659101a7926714781e686fe263ea6eadb99de93640eb04630ecce178f12fa285050796be33d4551cdc69b3b326b4e1072813d75e8fc75e45137fb452526783b7a27f17650a7d1c6fb126a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(85225);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/12");

  script_cve_id("CVE-2015-3007");
  script_bugtraq_id(75718);
  script_xref(name:"JSA", value:"JSA10683");

  script_name(english:"Juniper Junos SRX Series 'set system ports console insecure' Local Privilege Escalation (JSA10683)");
  script_summary(english:"Checks the Junos version, model, and configuration.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Juniper
Junos SRX Series device is affected by a privilege escalation
vulnerability related to the 'set system ports console insecure'
feature. A local attacker can exploit this vulnerability by using
access to a console port to gain full administrative privileges.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10683");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release or workaround referenced in
Juniper advisory JSA10683.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/04");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/model", "Host/Juniper/JUNOS/Version");

  exit(0);
}

include("audit.inc");
include("junos_kb_cmd_func.inc");
include("misc_func.inc");

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');

check_model(model:model, flags:SRX_SERIES, exit_on_fail:TRUE);

if (ver =~ "^12.1X46-D([0-9]|1[0-4])$") audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);

fixes = make_array();
fixes['12.1X46'] = '12.1X46-D35';
fixes['12.1X47'] = '12.1X47-D25';
fixes['12.1X48'] = '12.1X48-D15';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

override = TRUE;
buf = junos_command_kb_item(cmd:"show configuration | display set");
if (buf)
{
  pattern = "^set system ports console insecure";
  if (!preg(string:buf, pattern:pattern, multiline:TRUE))
    audit(AUDIT_HOST_NOT,
      "affected because the 'set system ports console insecure' feature is not enabled");
  override = FALSE;
}

junos_report(ver:ver, fix:fix, model:model, override:override, severity:SECURITY_HOLE);

JSON Vulners Source

Initial Source

{"id": "JUNIPER_JSA10683.NASL", "bulletinFamily": "scanner", "title": "Juniper Junos SRX Series 'set system ports console insecure' Local Privilege Escalation (JSA10683)", "description": "According to its self-reported version number, the remote Juniper\nJunos SRX Series device is affected by a privilege escalation\nvulnerability related to the 'set system ports console insecure'\nfeature. A local attacker can exploit this vulnerability by using\naccess to a console port to gain full administrative privileges.", "published": "2015-08-04T00:00:00", "modified": "2015-08-04T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/85225", "reporter": "This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.", "references": ["https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10683"], "cvelist": ["CVE-2015-3007"], "type": "nessus", "lastseen": "2020-09-14T15:43:02", "edition": 9, "viewCount": 18, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-3007"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310106018"]}], "modified": "2020-09-14T15:43:02", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2020-09-14T15:43:02", "rev": 2}, "vulnersScore": 6.5}, "sourceData": "#TRUSTED 577a0137b0619966928c4e53afdcf4b38d56af611b9008f7dd84b7dbe29343b0e3a9e6e6978744b91d46519ac03050777335c88203b262a127e26ab8f01f945378c3c627503e2a2d3b42c618625bdde700a41b4fef316bf64f3315d710127a8e19866ba82821b6ee062377173d30b57179515a5b2f4cf3d82643fbcf5ae908f601291898ab047683b7b1f4dd75e554870b9b9557b1249a35b710e9f174c3dac720c21767f6e4406621652bf2ba0c3f9338c6e4f820969f22ad50b230a47fe6759fd5c939fd91c57020a73d38a873e0fb3828295abe4547a170f3d6a4a1080c2694c08e8be04d21b8088942dea8054627c3fde5e29ff5198ec74e102060af36e9cc0750d24faa53192cc7d1c43251b81f823fe14fa4955fdf9e49ec6e9d3fa8965604d5287a9aa12d5de53bb1402066a5201c3f4114f3260cebbab6e2b8e65b6e860f7f7c2f0924d3aa5fc3566cbec6118d1a6e2f50ebac12e57855ac692c307d5b162e95fd5ab7c2919fdcb1e8d6ea70bc1bcbcc68d4abd434079c3c66c0a0df144224ab826b412c1d83eb350b66472050772bbe16b0fafc073161a0df12c876b10fe725368ecc76bdb466f2c21a989ae93549eaa38659101a7926714781e686fe263ea6eadb99de93640eb04630ecce178f12fa285050796be33d4551cdc69b3b326b4e1072813d75e8fc75e45137fb452526783b7a27f17650a7d1c6fb126a\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(85225);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/07/12\");\n\n script_cve_id(\"CVE-2015-3007\");\n script_bugtraq_id(75718);\n script_xref(name:\"JSA\", value:\"JSA10683\");\n\n script_name(english:\"Juniper Junos SRX Series 'set system ports console insecure' Local Privilege Escalation (JSA10683)\");\n script_summary(english:\"Checks the Junos version, model, and configuration.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Juniper\nJunos SRX Series device is affected by a privilege escalation\nvulnerability related to the 'set system ports console insecure'\nfeature. A local attacker can exploit this vulnerability by using\naccess to a console port to gain full administrative privileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10683\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the relevant Junos software release or workaround referenced in\nJuniper advisory JSA10683.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/08/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:juniper:junos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"junos_version.nasl\");\n script_require_keys(\"Host/Juniper/model\", \"Host/Juniper/JUNOS/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"junos_kb_cmd_func.inc\");\ninclude(\"misc_func.inc\");\n\nver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');\nmodel = get_kb_item_or_exit('Host/Juniper/model');\n\ncheck_model(model:model, flags:SRX_SERIES, exit_on_fail:TRUE);\n\nif (ver =~ \"^12.1X46-D([0-9]|1[0-4])$\") audit(AUDIT_INST_VER_NOT_VULN, 'Junos', ver);\n\nfixes = make_array();\nfixes['12.1X46'] = '12.1X46-D35';\nfixes['12.1X47'] = '12.1X47-D25';\nfixes['12.1X48'] = '12.1X48-D15';\n\nfix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);\n\noverride = TRUE;\nbuf = junos_command_kb_item(cmd:\"show configuration | display set\");\nif (buf)\n{\n pattern = \"^set system ports console insecure\";\n if (!preg(string:buf, pattern:pattern, multiline:TRUE))\n audit(AUDIT_HOST_NOT,\n \"affected because the 'set system ports console insecure' feature is not enabled\");\n override = FALSE;\n}\n\njunos_report(ver:ver, fix:fix, model:model, override:override, severity:SECURITY_HOLE);\n", "naslFamily": "Junos Local Security Checks", "pluginID": "85225", "cpe": ["cpe:/o:juniper:junos"], "scheme": null, "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T06:21:24", "description": "The Juniper SRX Series services gateways with Junos OS 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, and 12.3X48 before 12.3X48-D15 do not properly implement the \"set system ports console insecure\" feature, which allows physically proximate attackers to gain administrative privileges by leveraging access to the console port.", "edition": 4, "cvss3": {}, "published": "2015-07-14T17:59:00", "title": "CVE-2015-3007", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3007"], "modified": "2015-07-15T18:31:00", "cpe": ["cpe:/o:juniper:junos:12.1x47", "cpe:/o:juniper:junos:12.1x46", "cpe:/o:juniper:junos:12.3x48"], "id": "CVE-2015-3007", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3007", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:juniper:junos:12.3x48:d10:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:d15:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x47:d20:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x47:*:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.3x48:*:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:d30:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:*:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:d20:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.3x48:d5:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x47:d10:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:d25:*:*:*:*:*:*", "cpe:2.3:o:juniper:junos:12.1x46:d10:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-07-25T12:19:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3007"], "description": "Junos OS is prone to a local privilege escalation vulnerability.", "modified": "2019-07-24T00:00:00", "published": "2015-07-14T00:00:00", "id": "OPENVAS:1361412562310106018", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106018", "type": "openvas", "title": "Junos Local Privilege Escalation Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Junos Local Privilege Escalation Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106018\");\n script_version(\"2019-07-24T08:39:52+0000\");\n script_tag(name:\"last_modification\", value:\"2019-07-24 08:39:52 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2015-07-14 10:58:02 +0700 (Tue, 14 Jul 2015)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2015-3007\");\n\n script_name(\"Junos Local Privilege Escalation Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2015 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\", \"Junos/model\");\n\n script_tag(name:\"summary\", value:\"Junos OS is prone to a local privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"On SRX Series services gateways, the 'set system ports console insecure'\nfeature does not work as expected. This feature is intended to prevent non-root users from performing\npassword recovery using the console (see KB22619). This issue affects SRX Series services gateways only.\nNo other Junos devices are affected.\");\n\n script_tag(name:\"impact\", value:\"This vulnerability may allow a non-root user with physical access\nto the console port to gain full administrative privileges.\");\n\n script_tag(name:\"affected\", value:\"Junos OS 12.1X46, 12.1X47 and 12.1X48\");\n\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10683\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\n\nmodel = get_kb_item(\"Junos/model\");\nif (!model || (toupper(model) !~ '^SRX[0-9]+'))\n exit(99);\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version =~ \"^12\\.1X\") {\n if ((revcomp(a: version, b: \"12.1X46-D35\") < 0) &&\n (revcomp(a: version, b: \"12.1X46\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X47-D25\") < 0) &&\n (revcomp(a:version, b:\"12.1X47\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n else if ((revcomp(a:version, b:\"12.1X48-D15\") < 0) &&\n (revcomp(a:version, b:\"12.1X48\") >= 0)) {\n security_message(port:0, data:version);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}