Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)

2014-12-22T00:00:00
ID JUNIPER_SPACE_JSA10626.NASL
Type nessus
Reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2014-12-22T00:00:00

Description

According to its self-reported version number, the remote Junos Space version is prior to 13.3R1.8. It is, therefore, affected by a remote command execution vulnerability that exists when the firewall is disabled. This could allow a remote attacker to execute arbitrary commands with root privileges.

Note that the firewall is enabled by default on Junos Space.

                                        
                                            #TRUSTED ae5ba34b865cd611f9232ec473a0b530f543647d583097262195060d26f2e07c4db938d8213d296d47087b4c98a64e13e725a4524f10fd41df39b76ffbe5728a57b317a05f7c666e52569e5543f44bbd7b969a9ef46f471ae5f3f7ef64b42fc39f69226791667764d1a44c35eeb234843c043aefe19598d42d3aa2b943be2cde085d7caa99bad04248536a0f83a43659b95262f2a586587b572eb90ea81ae2d29b4daf705b5e988b0a2d134a530036a1c252b2b3a51c69208613748d38920f028b93aa611f402f218272c19ecf3f10d56625c35e3ed2b86b16e94858b38b8e7674491d3247f4efa91f01c9e0e048e471344babcce9ffb5d55f24524e087a73ab58cd54f179baca7cddc5bf8cde3f70c775a9421b90496365963188476153e275456fd79a67993c3570466e9f6dc46a0db2d67bd1962c45553652e7b863842e665e4f9e0391e4a4df0165751e8632df1b20d37570fa781c137517583e59324d2f743f952edb793449d960a156efa145d1231507186c88bf0516e6ad1596cf9917a8d665ee7098109bff1cb75b6e2fc3f5429df89c1e9d2eb7a305bd715c64c02d4e700cbe690540feae20762d1266c973acd46c190ab66c7e7140cccbe6f22bf9127c26245e45748410efda0578e78d77a557ca3ddaf558a4e761a622cd8c6eaa9483385ee616097a2c8c6d22a428f8d16976b7b3dbce335ae5cea0e75284e392
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(80194);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/10");

  script_cve_id("CVE-2014-3412");
  script_bugtraq_id(67454);

  script_name(english:"Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)");
  script_summary(english:"Checks the version.");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a remote command execution
vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Junos Space
version is prior to 13.3R1.8. It is, therefore, affected by a remote
command execution vulnerability that exists when the firewall is
disabled. This could allow a remote attacker to execute arbitrary
commands with root privileges.

Note that the firewall is enabled by default on Junos Space.");
  script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10626");
  script_set_attribute(attribute:"solution", value:"Upgrade to Junos Space 13.3R1.8 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/05/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_space");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Junos_Space/version", "Host/Junos_Space/release");

  exit(0);
}

include("audit.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("junos.inc");
include("misc_func.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/Junos_Space/release");
if (isnull(release) || "Junos Space" >!< release) audit(AUDIT_OS_NOT, "Juniper Junos Space");

ver = get_kb_item_or_exit('Host/Junos_Space/version');
if(_junos_space_ver_compare(ver:ver, fix:'13.3R1.8') >= 0)
  exit(0, 'Junos Space ' + ver + ' is not affected.');

if(report_paranoia < 2)
{
  if ( islocalhost() )
  {
    if ( ! defined_func("pread") ) exit(1, "'pread()' is not defined.");
    info_t = INFO_LOCAL;
  }
  else
  {
    sock_g = ssh_open_connection();
    if (! sock_g) exit(1, "ssh_open_connection() failed.");
    info_t = INFO_SSH;
  }

  cmd = 'service iptables status';
  buf = info_send_cmd(cmd:cmd);

  ssh_close_connection();

  if ("Firewall is not running" >< buf)
    security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);
  else if ("Table: filter" >< buf)
    exit(0, "The firewall is enabled on the remote host.");
  else
    exit(1, "Failed to determine whether the firewall is enabled on the remote host.");
}
else
{
  security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);
}