In mid-2023, a critical security vulnerability—CVE-2023-28973—was discovered in Juniper Networks’ Junos OS Evolved operating system line. This flaw makes it possible for a local, authenticated user (anyone with shell access) to execute highly privileged system commands, including restarting daemons, forcing routing engine switchover, or shutting down nodes completely. In this guide, I’ll walk you through the nature of the vulnerability, how it can be exploited, and what steps sysadmins should take to secure their systems. All technical details and code snippets presented are for educational purposes only.
What is CVE-2023-28973?
CVE-2023-28973 is classified as an *Improper Authorization* vulnerability. In simple terms, it means that some system-level commands on the device are not being protected as well as they should be. In this specific case, the sysmanctl command—used for administrative tasks deep within Junos OS Evolved—is available with insufficient access checks from the shell prompt.
21.4 versions before 21.4R1-S2-EVO, 21.4R2-EVO
Official Juniper advisory:
https://supportportal.juniper.net/JSA71668
How Does the Vulnerability Work?
When users log into a Junos device, they can access different types of shells, depending on their privileges:
Junos CLI: The typical command line interface familiar to most users.
- Junos Shell (start shell or cli > start shell): The lower-level Unix-like shell available mainly to advanced users.
The problem stems from the following
- The sysmanctl command, meant only for trusted system processes, is accessible to any local authenticated user *if* they manage to run shell commands.
- There’s no barrier stopping those users from attempting and, in many cases, successfully running powerful admin commands using sysmanctl.
Proof of Concept (PoC): Example Exploitation
Let’s look at how a local authenticated attacker could take advantage of this.
Most Juniper users will be in the Junos CLI (> prompt). To get a shell, a user runs
cli
start shell
1. Restart a critical daemon
sysmanctl restart jdae
*(This restarts the JDAE daemon, disrupting device operation.)*
2. Force Routing Engine Switchover
sysmanctl switch-re
*(Triggers a routing engine switchover, potentially impacting traffic and device stability.)*
3. Shut Down the Device
sysmanctl shutdown -y
*(Hard shutdown with minimal warning.)*
No extra password prompts will appear! If the user is already authenticated to the shell, these commands proceed.
Why Is This Bad?
- System Integrity Risk: Unprivileged or low-privilege users could perform critical operations typically reserved for administrators.
- Availability Risk: Device outages and network downtime are possible, either by mistake or by intention (malicious insiders).
- Insider Threat: The vulnerability is not exploitable remotely, but anyone with local shell access—either by weak password hygiene or social engineering—can be a threat.
How To Fix (Or Mitigate)
Juniper has patched this vulnerability. The best mitigation is update your systems to the following versions:
Check your version
cli
show version
If vulnerable, update your firmware immediately.
Official instructions:
https://supportportal.juniper.net/JSA71668
References
- Juniper Security Advisory JSA71668: CVE-2023-28973
- NIST NVD Entry for CVE-2023-28973
Conclusion
CVE-2023-28973 stands out as a textbook case of why least privilege and careful access controls are so important on systems running critical infrastructure. Even if a tool is “not directly accessible” from common management interfaces, anything accessible from a shell should be protected with robust privilege checks.
If you run Junos OS Evolved in your network, make sure you have updated beyond the affected versions as soon as possible. If you can't upgrade, lock down shell access for all but essential users, and keep a close eye on your audit trails for odd uses of sysmanctl.
Stay safe and vigilant!
*This post is exclusive and based on original research of public vulnerability advisories. Always refer to the vendor’s own guidance for official remediation steps.*
Timeline
Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC