8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
12.7%
The version of Junos OS installed on the remote host is affected by a privilege escalation vulnerability as referenced in the JSA69895 advisory. An Execution with Unnecessary Privileges vulnerability in Management Daemon (mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate their privileges on the device and potentially remote systems.
A workaround for this issue is to modify the applicable login class(es) so that the ssh command can not be accessed anymore. This can be done by removing the ‘network’ permission or modifying the resp. allow-/deny-commands configuration.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#TRUSTED 3ef89340e01892acd2f188cb11ba360745d768604432c6e6efff161022ba05f653e4fa9464c20c499c991537d192f59b566c7f92bccdf6bb0cc800052dbaa9b160fe11be3c680859a6ca2eff713d919eca536a81ac30324d94c5975290fa87833fa6da14d28b5de94fe641241f155565231d2f4a2a95e3f88aa2197ee978374ac5676b9b82569a8588a7f51f40610d849d0a7d013dbaa8f0671c5293a5b5d9f081c75d687fc15c4988cf00f5a0d424decc0367da9ab9a86a53f8b9fe4313af4cdeaa69cac53f6ac22fff2268fb2537bb7c571cb84e724ecf7f9ad67932a2dccdbe9870c3b9b12731c3d641df4f7e002a7b8dc3cc40cdb09c367f335af213c536c50352778a1c8c4ad3e06e223b28893c3ba609c68ec9f6a9eb02d6a4f334ba0b23a121d0d7d582e88618029f2c9b127294cce00f125871461a57c838cfc0b28bf574b7e1e2ec555ef7b2c2763e015325126b93299353f43dea8d204555f45ee6b9e536fa27e7b48fa56f7601fe65f0358757e256349fd1b7a6eb739b5b8b6aff41587ddbd6d4e659b6cb28acc33f174ff9f2c7695c9be4739d832b243555cfd65cea169ebe0ad73788ad2fb062e6c25ad4ffb075c9e083da78ef46e06f51d6411253ecfaa13a289d28f131b633b9537bde3de909cc3ffd79d6d77f0b2e58a6a9f5c82125d856f2a7cabd1f3106b45782df7e09941cf1d09525719a5b792a068a
#TRUST-RSA-SHA256 9be8d85f8d9e24027036174c3457810215e7470c56a4dcb11d014c2f737421168f3a1c41d8213e6486015c8b9b0a6181ef07bb94b4978a74c0ef9658a9e7a7c1d0cb32aead43206179b18a0fc504493929941ed00bcb885709c44dbae051b6b30dcd7c2c0fab9b9f6ea034f5beaf274e913c7f01713f6069689abec6977c7d8964dade16f8f89ce1293abf4a0502444613ba809281d82829a3d2bcb116d45c55983434be0843c6946b515b62aeb9a9d62e53467f343c67cf1e85fc24cb950d805a39a70f821467931f7f21a66c0544a20e76a0ebeb79f6995b06012eba33153e982e6104ee6e819477aa6447cb9fedfc150faaeaf00b859991d08a1365469162e80649b806f407a1ee1231b150c33c15796740b4807cb3f4c1291c8360b7981e317e1d2df93a72e6b994d4c84b1407c3e7ca01fcd625031693d29e8c73d19013d82ac0d23f2c9f9e587072a036739ef61f600d31cddc9e4e3b99636189b5d87340380627d603601a5ce51788158f99931677453f72f4a9eb3f1bf9b23826d05957328461bb1df35fe79e78b0b6cf29fc660191453cda8e17104210cc0d559d97a5e348ef7a4ec1dbe5d49997f3cf032b2ad61a76f939f645905ec00ad480899db98b8572db4942b67e5eebd88fe77cd4f26e10cb5221e5c237a53cd1553be303f974cb2d501fb68fac068d0a1315ccdb3b937490917a8e920c6b4ad9a7896549
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(166324);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/18");
script_cve_id("CVE-2022-22239");
script_xref(name:"JSA", value:"JSA69895");
script_xref(name:"IAVA", value:"2022-A-0421-S");
script_name(english:"Juniper Junos OS Privilege Escalation (JSA69895)");
script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by a privilege escalation vulnerability as
referenced in the JSA69895 advisory. An Execution with Unnecessary Privileges vulnerability in Management Daemon
(mgd) of Juniper Networks Junos OS Evolved allows a locally authenticated attacker with low privileges to escalate
their privileges on the device and potentially remote systems.
A workaround for this issue is to modify the applicable login class(es) so that the ssh command can not be accessed
anymore. This can be done by removing the 'network' permission or modifying the resp. allow-/deny-commands
configuration.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://supportportal.juniper.net/s/article/Overview-of-the-Juniper-Networks-SIRT-Quarterly-Security-Bulletin-Publication-Process
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?99086ea4");
# https://supportportal.juniper.net/s/article/In-which-releases-are-vulnerabilities-fixed
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b616ed59");
# https://supportportal.juniper.net/s/article/Common-Vulnerability-Scoring-System-CVSS-and-Juniper-s-Security-Advisories
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d4fd08b");
# https://supportportal.juniper.net/s/article/2022-10-Security-Bulletin-Junos-OS-Evolved-The-ssh-CLI-command-always-runs-as-root-which-can-lead-to-privilege-escalation-CVE-2022-22239
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7f66b8bb");
script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA69895");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-22239");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/12");
script_set_attribute(attribute:"patch_publication_date", value:"2022/10/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/10/20");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Junos Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("junos_version.nasl");
script_require_keys("Host/Juniper/JUNOS/Version");
exit(0);
}
include('junos.inc');
var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');
var vuln_ranges = [
{'min_ver':'0', 'fixed_ver':'20.4R3-S5-EVO'},
{'min_ver':'21.1', 'fixed_ver':'21.1R3-EVO'},
{'min_ver':'21.2', 'fixed_ver':'21.2R2-S1-EVO', 'fixed_display':'21.2R2-S1-EVO, 21.2R3-EVO'},
{'min_ver':'21.3', 'fixed_ver':'21.3R2-EVO'}
];
var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
var report = get_report(ver:ver, fix:fix);
security_report_v4(severity:SECURITY_WARNING, port:0, extra:report);
8.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
12.7%