Juniper Junos RPD MPLS RCE (JSA10877)

2018-10-19T00:00:00
ID JUNIPER_JSA10877.NASL
Type nessus
Reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2018-10-19T00:00:00

Description

According to its self-reported version number, the remote Junos device is affected by a potential remote code execution vulnerability due to how the routing protocol daemon handles MPLS packets. An attacker could potentially crash the RDP service or execute code.

                                        
                                            #TRUSTED 3969bee6e374da8f8d46fdb9b85da2de134b0ad4f1a1da5ff991141ae1c14429310da41c55e8f600da5323f91b16d0fa89aaadb65e81e9fbea9df15101ec0c5973ad135f1badc914cbddfe348304223272091118af26e30c8ff04cbc81310dd48bbd4649a9bf4de8458b7d4454312b07a7a56409b41a8f64c4e294bf55896f5c0a488d2888e8deb1e4f5a32ea375e320f69726c942986ebed53f9b983dc609c6546f2095e2f1d6253016716868abb5d591ef7384be69c7285bdf2c5f433e3f147558033c3fdc6c86207be0db45d33ffabba54ab65793893e74dc29d6467bed04ea94aa8ed2b28f479ccf352cf23cfed8ce697ea14597eaa17e14f2ba67526068cda1c678175df96281ee98b3e20ce1b79f5f1268b293e006ed8371a0613758e80866f85b838d3abe6505e6ea9669bdd6af1cb15914952a63a81d7176db25abb9dfcacb6fd93fb8eb2f41bfec9d05ded2e7510c21cb4f3e8513f6afba28c354c751ff1e3ea4949114f26d6e738566ac556dcc569dd5d4f1bed636aaf460c1bebf514fb733d18c4c4c71eadbf7e1ab1010d85d25b267beefbd974883cf291133c9546da7179b19cf7a3226914c2dc34ee909bcd4573563614ae12b90eae9994938e9777a041b9e2f53da92d12d95b9f93b51a739ce692a0342a9000edb36f2f1d68865f63f111a59787b9bbac27e938a5c8bf736eab52742dd896cee74b0b6358a
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(118231);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id("CVE-2018-0043");
  script_xref(name:"JSA", value:"JSA10877");

  script_name(english:"Juniper Junos RPD MPLS RCE (JSA10877)");
  script_summary(english:"Checks the Junos version and build date.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Junos device
is affected by a potential remote code execution vulnerability due to
how the routing protocol daemon handles MPLS packets. An attacker could
potentially crash the RDP service or execute code.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10877");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in
Juniper advisory JSA10877.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-0043");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/19");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include("audit.inc");
include("junos_kb_cmd_func.inc");

ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');

fixes = make_array();
# 12.1X46 versions prior to 12.1X46-D77 on SRX Series
# 12.3X48 versions prior to 12.3X48-D75 on SRX Series
# 15.1X49 versions prior to 15.1X49-D140 on SRX Series
if (model =~ '^SRX')
{
  fixes['12.1X46'] = '12.1X46-D77';
  fixes['12.3X48'] = '12.3X48-D75';
  fixes['15.1X49'] = '15.1X49-D140';
}

# 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series
if (model =~ '^(QFX|EX)')
{
  fixes['14.1X53'] = '14.1X53-D47';

  # 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series
  if (model =~ '^EX(23|34)00')
    fixes['15.1X53'] = '15.1X53-D59';

  # 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series
  if (model =~ '^QFX10K')
    fixes['15.1X53'] = '15.1X53-D67';

  # 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series
  if (model =~ '^QFX(5200|5110)')
    fixes['15.1X53'] = '15.1X53-D233';
}

# 15.1X53 versions prior to 15.1X53-D471 15.1X53-D490 on NFX Series
if (model =~ '^NFX')
  fixes['15.1X53'] = '15.1X53-D471';

# 14.1X53 versions prior to 14.1X53-D130 on QFabric Series
if (model =~ '^QFabric')
  fixes['14.1X53'] = '14.1X53-D130';

# 12.3 versions prior to 12.3R12-S10
fixes['12.3R'] = '12.3R12-S10';

# 15.1F6 versions prior to 15.1F6-S10
fixes['15.1F6'] = '15.1F6-S10';

# 15.1 versions prior to 15.1R4-S9 15.1R7
if (ver =~ "^15\.1R4($|[^0-9])") fixes['15.1R'] = '15.1R4-S9';
else                             fixes['15.1R'] = '15.1R7';

# 16.1 versions prior to 16.1R3-S8 16.1R4-S8 16.1R5-S4 16.1R6-S4 16.1R7
if (ver =~ "^16\.1R3($|[^0-9])")      fixes['16.1R'] = '16.1R3-S8';
else if (ver =~ "^16\.1R4($|[^0-9])") fixes['16.1R'] = '16.1R4-S8';
else if (ver =~ "^16\.1R5($|[^0-9])") fixes['16.1R'] = '16.1R5-S4';
else if (ver =~ "^16\.1R6($|[^0-9])") fixes['16.1R'] = '16.1R6-S4';
else                                  fixes['16.1R'] = '16.1R7';

# 16.1X65 versions prior to 16.1X65-D48
fixes['16.1X65'] = '16.1X65-D48';

# 16.2 versions prior to 16.2R1-S6 16.2R3
if (ver =~ "^16\.2R1($|[^0-9])") fixes['16.2R'] = '16.2R1-S6';
else                             fixes['16.2R'] = '16.2R3';

# 17.1 versions prior to 17.1R1-S7 17.1R2-S6 17.1R3
if (ver =~ "^17\.1R1($|[^0-9])")      fixes['17.1R'] = '17.1R1-S7';
else if (ver =~ "^17\.1R2($|[^0-9])") fixes['17.1R'] = '17.1R2-S6';
else                                  fixes['17.1R'] = '17.1R3';

# 7.2 versions prior to 17.2R1-S6 17.2R2-S3 17.2R3
if (ver =~ "^17\.2R1($|[^0-9])")      fixes['17.2R'] = '17.2R1-S6';
else if (ver =~ "^17\.2R2($|[^0-9])") fixes['17.2R'] = '17.2R2-S3';
else                                  fixes['17.2R'] = '17.2R3';

# 17.2X75 versions prior to 17.2X75-D100 17.2X75-D42 17.2X75-D91
fixes['17.2X75'] = '17.2X75-D42';

# 17.3 versions prior to 17.3R1-S4 17.3R2-S2 17.3R3
if (ver =~ "^17\.3R1($|[^0-9])")      fixes['17.3R'] = '17.3R1-S4';
else if (ver =~ "^17\.3R2($|[^0-9])") fixes['17.3R'] = '17.3R2-S2';
else                                  fixes['17.3R'] = '17.3R3';

# 17.4 versions prior to 17.4R1-S3 17.4R2
if (ver =~ "^17\.4R1($|[^0-9])") fixes['17.4R'] = '17.4R1-S3';
else                             fixes['17.4R'] = '17.4R2';

fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);

# MPLS must be configured to be vulnerable
override = TRUE;
buf = junos_command_kb_item(cmd:"show mpls interface");
if (buf)
{
  override = FALSE;
  if ("MPLS not configured" >< buf)
    audit(AUDIT_HOST_NOT, 'vulnerable as it does not appear to have MPLS enabled');
}

junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);