CVE-2019-0039
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 14.1X53 < 14.1X53-D49 | affected |
| Juniper Networks | Junos OS | 15.1 < 15.1F6-S12, 15.1R7-S3 | affected |
| Juniper Networks | Junos OS | 15.1X49 < 15.1X49-D160 | affected |
| Juniper Networks | Junos OS | 15.1X53 < 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69 | affected |
| Juniper Networks | Junos OS | 16.1 < 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3 | affected |
| Juniper Networks | Junos OS | 16.1X65 < 16.1X65-D49 | affected |
| Juniper Networks | Junos OS | 16.2 < 16.2R2-S7 | affected |
| Juniper Networks | Junos OS | 17.1 < 17.1R2-S10, 17.1R3 | affected |
| Juniper Networks | Junos OS | 17.2 < 17.2R1-S8, 17.2R3-S1 | affected |
| Juniper Networks | Junos OS | 17.3 < 17.3R3-S2 | affected |
| Juniper Networks | Junos OS | 17.4 < 17.4R1-S6, 17.4R2-S2 | affected |
| Juniper Networks | Junos OS | 18.1 < 18.1R2-S4, 18.1R3-S1 | affected |
| Juniper Networks | Junos OS | 18.2 < 18.2R1-S5 | affected |
| Juniper Networks | Junos OS | 18.2X75 < 18.2X75-D30 | affected |
| Juniper Networks | Junos OS | 18.3 < 18.3R1-S1 | affected |
Weaknesses
- CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts
Workarounds
Setting a connection limit on REST API may help mitigate this issue. set system services rest control connection-limit 100
Use access lists or firewall filters to limit API access to the device only from trusted hosts.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.