CVE-2022-22251 In Juniper Networks Junos OS, software permission issues and passwords in Junos OS are vulnerable to local low-privilege attacks.

In addition, if the device is configured to store credentials for remote access (e.g., a virtual server or ssh login) in the device’s storage, an attacker with local access to the device can use the stored credentials to log into any remote device that is configured with the same password. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. In these software versions, the password is stored in the device’s filesystem rather than in an encrypted format. To mitigate these issues, we recommend that administrators change the device password when upgrading these versions. Juniper Networks is aware of a storage permission issue in cSRX Series 10 and 20 Series software. This issue is due to the fact that the cSRX Series software does not enforce strong permissions for the /var/lock/dev directory. An attacker with local access to the device can elevate their permissions to take control of any instance of a cSRX software deployment.

Storage permission issues

The cSRX Series software does not enforce strong permissions for the /var/lock/dev directory. An attacker with local access to the device can elevate their permissions to take control of any instance of a cSRX software deployment. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. In these software versions, the password is stored in the device’s filesystem rather than in an encrypted format. To mitigate these issues, we recommend that administrators change the device password when upgrading these versions.

CVE-2023-22252

In addition, if the device is configured to store credentials for remote access (e.g., a virtual server or ssh login) in the device’s storage, an attacker with local access to the device can use the stored credentials to log into any remote device that is configured with the same password. This issue affects Juniper Networks Junos OS 20.2 version 20.2R1 and later versions prior to 21.2R1 on cSRX Series. In these software versions, the password is stored in the device’s filesystem rather than in an encrypted format. To mitigate these issues, we recommend that administrators change the device password when upgrading these versions.

Solution

Juniper Networks recommends that administrators change the device password when upgrading to software versions prior to 21.2R1.

How to detect if Juniper Networks devices are vulnerable?

Juniper Networks has identified a vulnerability in cSRX Series software. This vulnerability is due to the fact that the cSRX series software does not enforce strong permissions for the /var/lock/dev directory. An attacker with local access can elevate their permissions to take control of any instance of a cSRX software deployment.
We recommend following these steps to detect if your devices are affected:
1) browse to the following URL from a device running cSRX Series software: https://

Storage Permission Escalation

You can mitigate this issue by limiting the permissions to only user, group, and network.

Timeline

Published on: 10/18/2022 03:15:00 UTC
Last modified on: 10/18/2022 12:01:00 UTC

References

• https://kb.juniper.net/JSA69908
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22251