6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
83.1%
According to its self-reported version, the Junos OS on the remote device is affected by a double free vulnerability.
On Juniper Networks SRX Series with ICAP (Internet Content Adaptation Protocol) redirect service enabled, this double free vulnerability can lead to a Denial of Service (DoS) or Remote Code Execution (RCE) due to processing of a specific HTTP message. Continued processing of this specific HTTP message may result in an extended Denial of Service (DoS). The offending HTTP message that causes this issue may originate both from the HTTP server or the client.
Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#TRUSTED 89937ff467ce947cd03a7fa66c786b899426b68258acaee8a52e479c3b74f03da430933b8b5250c18a6124c446f8a83e6aaed0ba5e62a83b5f6fc74549087a19f6d1641f5a6f7ff1fd0c52aa9e7c3899503b998b0810c2f5907c91ff8d880893618644438ab98ab7b04811abc46d0bd3210c6e6b5d294ba539d651e823afcb45c56cacd474e7ba691bed96de9e3007a21833a04b351acadf1d12ac3a61d2519a5dfcf59d451fe8478f7673471d68fe2a8f20f02000caa41c06f2caa6e2ef625c8f0521ab8d82b4ee718db63604f7931861e79869742b3daa98b1023caf753e09f0f2bd354add42aa5eab7da0c8dafe0d9371a04e7d6bb476411f959b2199fd6ff113ac150da0012c70b142114cdb9ac7c74c4f5bf51bccdd66ee72feab6bf97ee7a91dcdb4e1ee6970a540b237af91c9b3b941265bb666e143e571e4f359452496a4169c1036df70680255b7d9876163132332236e80b1533028cfc5312063defb9da68ca7baedc37e95aaf7c2ea04ce2fa44d90c8cc6cac5ec0003fe5bd6765b59bd7a6ad0b8314ab06339178dc5724e3d3cdb83ee52f973d64d4cbdbfa998182ce035be6bcadb19d01b560ca5d810c1cb0144bd05f226bd6c43393d5c0e7c423826e61bed8649a9009c0b2dc23770a6cb3495ac0a2832be5506416f03f26a46fcc52f4795b46809f4193e9575acdf69e8fb60dd68aef00f0be17d9b65913b0
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(138839);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/13");
script_cve_id("CVE-2020-1647");
script_xref(name:"JSA", value:"JSA11034");
script_name(english:"Juniper Junos SRX Double Free ICAP Redirect DoS RCE (JSA11034)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the Junos OS on the remote device is affected by a double free vulnerability.
On Juniper Networks SRX Series with ICAP (Internet Content Adaptation Protocol) redirect service enabled, this double
free vulnerability can lead to a Denial of Service (DoS) or Remote Code Execution (RCE) due to processing of a specific
HTTP message. Continued processing of this specific HTTP message may result in an extended Denial of Service (DoS). The
offending HTTP message that causes this issue may originate both from the HTTP server or the client.
Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/JSA11034");
script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA11034");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1647");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/08");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/22");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Junos Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("junos_version.nasl");
script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");
exit(0);
}
include('junos.inc');
include('junos_kb_cmd_func.inc');
ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
model = get_kb_item_or_exit('Host/Juniper/model');
if ('SRX' >!< model)
audit(AUDIT_HOST_NOT, 'an affected model');
fixes = make_array();
fixes['18.1'] = '18.1R3-S9';
fixes['18.2'] = '18.2R3-S3';
fixes['18.3'] = '18.3R2-S4';
fixes['18.4'] = '18.4R2-S5';
fixes['19.1'] = '19.1R2';
fixes['19.2'] = '19.2R1-S2';
fixes['19.3'] = '19.3R2';
fix = check_junos(ver:ver, fixes:fixes, exit_on_fail:TRUE);
override = TRUE;
buf = junos_command_kb_item(cmd:'show configuration | display set');
if (buf)
{
override = FALSE;
pattern = "^set services icap-redirect profile";
if (!junos_check_config(buf:buf, pattern:pattern))
audit(AUDIT_HOST_NOT, 'using a vulnerable configuration1');
pattern = "^set services icap-redirect profile ([^\s]*)";
match = pregmatch(string:buf, pattern:pattern);
if (empty_or_null(match) || empty_or_null(match[1]))
audit(AUDIT_HOST_NOT, 'using a vulnerable configuration2');
prof_name = match[1];
pattern = "^set security policies from-zone.*then permit application-services " + prof_name;
if (!junos_check_config(buf:buf, pattern:pattern))
audit(AUDIT_HOST_NOT, 'using a vulnerable configuration3');
}
junos_report(ver:ver, fix:fix, override:override, severity:SECURITY_WARNING);
6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.009 Low
EPSS
Percentile
83.1%