Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)
2014-12-22T00:00:00
ID JUNIPER_SPACE_JSA10626.NASL Type nessus Reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2014-12-22T00:00:00
Description
According to its self-reported version number, the remote Junos Space
version is prior to 13.3R1.8. It is, therefore, affected by a remote
command execution vulnerability that exists when the firewall is
disabled. This could allow a remote attacker to execute arbitrary
commands with root privileges.
Note that the firewall is enabled by default on Junos Space.
#TRUSTED ae5ba34b865cd611f9232ec473a0b530f543647d583097262195060d26f2e07c4db938d8213d296d47087b4c98a64e13e725a4524f10fd41df39b76ffbe5728a57b317a05f7c666e52569e5543f44bbd7b969a9ef46f471ae5f3f7ef64b42fc39f69226791667764d1a44c35eeb234843c043aefe19598d42d3aa2b943be2cde085d7caa99bad04248536a0f83a43659b95262f2a586587b572eb90ea81ae2d29b4daf705b5e988b0a2d134a530036a1c252b2b3a51c69208613748d38920f028b93aa611f402f218272c19ecf3f10d56625c35e3ed2b86b16e94858b38b8e7674491d3247f4efa91f01c9e0e048e471344babcce9ffb5d55f24524e087a73ab58cd54f179baca7cddc5bf8cde3f70c775a9421b90496365963188476153e275456fd79a67993c3570466e9f6dc46a0db2d67bd1962c45553652e7b863842e665e4f9e0391e4a4df0165751e8632df1b20d37570fa781c137517583e59324d2f743f952edb793449d960a156efa145d1231507186c88bf0516e6ad1596cf9917a8d665ee7098109bff1cb75b6e2fc3f5429df89c1e9d2eb7a305bd715c64c02d4e700cbe690540feae20762d1266c973acd46c190ab66c7e7140cccbe6f22bf9127c26245e45748410efda0578e78d77a557ca3ddaf558a4e761a622cd8c6eaa9483385ee616097a2c8c6d22a428f8d16976b7b3dbce335ae5cea0e75284e392
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(80194);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2018/08/10");
script_cve_id("CVE-2014-3412");
script_bugtraq_id(67454);
script_name(english:"Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)");
script_summary(english:"Checks the version.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by a remote command execution
vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Junos Space
version is prior to 13.3R1.8. It is, therefore, affected by a remote
command execution vulnerability that exists when the firewall is
disabled. This could allow a remote attacker to execute arbitrary
commands with root privileges.
Note that the firewall is enabled by default on Junos Space.");
script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10626");
script_set_attribute(attribute:"solution", value:"Upgrade to Junos Space 13.3R1.8 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/14");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_space");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Junos Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Junos_Space/version", "Host/Junos_Space/release");
exit(0);
}
include("audit.inc");
include("ssh_func.inc");
include("telnet_func.inc");
include("hostlevel_funcs.inc");
include("junos.inc");
include("misc_func.inc");
if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
enable_ssh_wrappers();
else disable_ssh_wrappers();
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Junos_Space/release");
if (isnull(release) || "Junos Space" >!< release) audit(AUDIT_OS_NOT, "Juniper Junos Space");
ver = get_kb_item_or_exit('Host/Junos_Space/version');
if(_junos_space_ver_compare(ver:ver, fix:'13.3R1.8') >= 0)
exit(0, 'Junos Space ' + ver + ' is not affected.');
if(report_paranoia < 2)
{
if ( islocalhost() )
{
if ( ! defined_func("pread") ) exit(1, "'pread()' is not defined.");
info_t = INFO_LOCAL;
}
else
{
sock_g = ssh_open_connection();
if (! sock_g) exit(1, "ssh_open_connection() failed.");
info_t = INFO_SSH;
}
cmd = 'service iptables status';
buf = info_send_cmd(cmd:cmd);
ssh_close_connection();
if ("Firewall is not running" >< buf)
security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);
else if ("Table: filter" >< buf)
exit(0, "The firewall is enabled on the remote host.");
else
exit(1, "Failed to determine whether the firewall is enabled on the remote host.");
}
else
{
security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);
}
{"id": "JUNIPER_SPACE_JSA10626.NASL", "bulletinFamily": "scanner", "title": "Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)", "description": "According to its self-reported version number, the remote Junos Space\nversion is prior to 13.3R1.8. It is, therefore, affected by a remote\ncommand execution vulnerability that exists when the firewall is\ndisabled. This could allow a remote attacker to execute arbitrary\ncommands with root privileges.\n\nNote that the firewall is enabled by default on Junos Space.", "published": "2014-12-22T00:00:00", "modified": "2014-12-22T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/80194", "reporter": "This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10626"], "cvelist": ["CVE-2014-3412"], "type": "nessus", "lastseen": "2020-03-18T00:54:29", "edition": 13, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2014-3412"]}], "modified": "2020-03-18T00:54:29", "rev": 2}, "score": {"value": 7.6, "vector": "NONE", "modified": "2020-03-18T00:54:29", "rev": 2}, "vulnersScore": 7.6}, "sourceData": "#TRUSTED ae5ba34b865cd611f9232ec473a0b530f543647d583097262195060d26f2e07c4db938d8213d296d47087b4c98a64e13e725a4524f10fd41df39b76ffbe5728a57b317a05f7c666e52569e5543f44bbd7b969a9ef46f471ae5f3f7ef64b42fc39f69226791667764d1a44c35eeb234843c043aefe19598d42d3aa2b943be2cde085d7caa99bad04248536a0f83a43659b95262f2a586587b572eb90ea81ae2d29b4daf705b5e988b0a2d134a530036a1c252b2b3a51c69208613748d38920f028b93aa611f402f218272c19ecf3f10d56625c35e3ed2b86b16e94858b38b8e7674491d3247f4efa91f01c9e0e048e471344babcce9ffb5d55f24524e087a73ab58cd54f179baca7cddc5bf8cde3f70c775a9421b90496365963188476153e275456fd79a67993c3570466e9f6dc46a0db2d67bd1962c45553652e7b863842e665e4f9e0391e4a4df0165751e8632df1b20d37570fa781c137517583e59324d2f743f952edb793449d960a156efa145d1231507186c88bf0516e6ad1596cf9917a8d665ee7098109bff1cb75b6e2fc3f5429df89c1e9d2eb7a305bd715c64c02d4e700cbe690540feae20762d1266c973acd46c190ab66c7e7140cccbe6f22bf9127c26245e45748410efda0578e78d77a557ca3ddaf558a4e761a622cd8c6eaa9483385ee616097a2c8c6d22a428f8d16976b7b3dbce335ae5cea0e75284e392\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(80194);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2018/08/10\");\n\n script_cve_id(\"CVE-2014-3412\");\n script_bugtraq_id(67454);\n\n script_name(english:\"Juniper Junos Space < 13.3R1.8 Arbitrary Command Execution (JSA10626)\");\n script_summary(english:\"Checks the version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by a remote command execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote Junos Space\nversion is prior to 13.3R1.8. It is, therefore, affected by a remote\ncommand execution vulnerability that exists when the firewall is\ndisabled. This could allow a remote attacker to execute arbitrary\ncommands with root privileges.\n\nNote that the firewall is enabled by default on Junos Space.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10626\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Junos Space 13.3R1.8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/12/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:juniper:junos_space\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Junos Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Junos_Space/version\", \"Host/Junos_Space/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"telnet_func.inc\");\ninclude(\"hostlevel_funcs.inc\");\ninclude(\"junos.inc\");\ninclude(\"misc_func.inc\");\n\n\nif(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)\n enable_ssh_wrappers();\nelse disable_ssh_wrappers();\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Junos_Space/release\");\nif (isnull(release) || \"Junos Space\" >!< release) audit(AUDIT_OS_NOT, \"Juniper Junos Space\");\n\nver = get_kb_item_or_exit('Host/Junos_Space/version');\nif(_junos_space_ver_compare(ver:ver, fix:'13.3R1.8') >= 0)\n exit(0, 'Junos Space ' + ver + ' is not affected.');\n\nif(report_paranoia < 2)\n{\n if ( islocalhost() )\n {\n if ( ! defined_func(\"pread\") ) exit(1, \"'pread()' is not defined.\");\n info_t = INFO_LOCAL;\n }\n else\n {\n sock_g = ssh_open_connection();\n if (! sock_g) exit(1, \"ssh_open_connection() failed.\");\n info_t = INFO_SSH;\n }\n\n cmd = 'service iptables status';\n buf = info_send_cmd(cmd:cmd);\n\n ssh_close_connection();\n\n if (\"Firewall is not running\" >< buf)\n security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);\n else if (\"Table: filter\" >< buf)\n exit(0, \"The firewall is enabled on the remote host.\");\n else\n exit(1, \"Failed to determine whether the firewall is enabled on the remote host.\");\n}\nelse\n{\n security_report_v4(port:0, extra:get_report(ver:ver, fix:'13.3R1.8'), severity:SECURITY_HOLE);\n}\n\n", "naslFamily": "Junos Local Security Checks", "pluginID": "80194", "cpe": ["cpe:/a:juniper:junos_space"], "scheme": null, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}
