CVE-2017-10620

Summary

Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates. This may allow a man-in-the-middle attacker to inject bogus signatures to cause service disruptions or make the device not detect certain types of attacks. Affected Junos OS releases are: 12.1X46 prior to 12.1X46-D71; 12.3X48 prior to 12.3X48-D55; 15.1X49 prior to 15.1X49-D110;

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS12.1X46 prior to 12.3X46-D71affected
Juniper NetworksJunos OS12.3X48 prior to 12.3X48-D55affected
Juniper NetworksJunos OS15.1X49 prior to 15.1X49-D110affected

Weaknesses

  • insufficient verification

Workarounds

There are no viable workarounds for this issue.

It is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts.

ADP Enrichment

CVE Program Container

Additional References

References