6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
5.1%
Junos OS is prone to a unauthenticated root access vulnerability.
# SPDX-FileCopyrightText: 2015 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/o:juniper:junos";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106040");
script_version("2023-07-25T05:05:58+0000");
script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
script_tag(name:"creation_date", value:"2015-11-23 10:20:35 +0700 (Mon, 23 Nov 2015)");
script_tag(name:"cvss_base", value:"6.9");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
script_cve_id("CVE-2015-7751");
script_name("Juniper Networks Junos OS Fail-Open Unauthenticated Root Access Vulnerability");
script_category(ACT_GATHER_INFO);
script_family("JunOS Local Security Checks");
script_copyright("Copyright (C) 2015 Greenbone AG");
script_dependencies("gb_juniper_junos_consolidation.nasl");
script_mandatory_keys("juniper/junos/detected");
script_tag(name:"summary", value:"Junos OS is prone to a unauthenticated root access vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable OS build is present on the target host.");
script_tag(name:"insight", value:"When the pam.conf file is corrupted in certain ways, it may allow
connection to the device as the root user with no password. This 'fail-open' behavior allows an
attacker who can specifically modify the file to gain full access to the device. Note that inadvertent
manipulation of the pam.conf by an authorized administrator can also lead to unauthenticated root
access to the device.");
script_tag(name:"impact", value:"When the pam.conf file is corrupted in certain ways attackers may
connect as root user with no password.");
script_tag(name:"affected", value:"Junos OS 12.1, 12.3, 13.2, 13.3, and 14.1");
script_tag(name:"solution", value:"New builds of Junos OS software are available from Juniper.");
script_xref(name:"URL", value:"http://kb.juniper.net/JSA10707");
exit(0);
}
include("host_details.inc");
include("revisions-lib.inc");
if (!version = get_app_version(cpe: CPE, nofork: TRUE))
exit(0);
if (version =~ "^12") {
if ((revcomp(a: version, b: "12.1X44-D50") < 0) &&
(revcomp(a: version, b: "12.1X44") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "12.1X46-D35") < 0) &&
(revcomp(a: version, b: "12.1X46") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "12.1X47-D25") < 0) &&
(revcomp(a: version, b: "12.1X47") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "12.3R9") < 0) &&
(revcomp(a: version, b: "12.3") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "12.3X48-D15") < 0) &&
(revcomp(a: version, b: "12.3X") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
}
if (version =~ "^13") {
if (revcomp(a: version, b: "13.2R7") < 0) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "13.2X51-D35") < 0) &&
(revcomp(a: version, b: "13.2X") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "13.3R6") < 0) &&
(revcomp(a: version, b: "13.3") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
}
if (version =~ "^14") {
if (revcomp(a: version, b: "14.1R5") < 0) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "14.1X50-D105") < 0) &&
(revcomp(a: version, b: "14.1X50") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "14.1X51-D70") < 0) &&
(revcomp(a: version, b: "14.1X51") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "14.1X53-D25") < 0) &&
(revcomp(a: version, b: "14.1X53") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
else if ((revcomp(a: version, b: "14.1X55-D20") < 0) &&
(revcomp(a: version, b: "14.1X55") >= 0)) {
security_message(port: 0, data: version);
exit(0);
}
}
exit(99);