CVE-2019-0039

Summary

If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS14.1X53 < 14.1X53-D49affected
Juniper NetworksJunos OS15.1 < 15.1F6-S12, 15.1R7-S3affected
Juniper NetworksJunos OS15.1X49 < 15.1X49-D160affected
Juniper NetworksJunos OS15.1X53 < 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69affected
Juniper NetworksJunos OS16.1 < 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3affected
Juniper NetworksJunos OS16.1X65 < 16.1X65-D49affected
Juniper NetworksJunos OS16.2 < 16.2R2-S7affected
Juniper NetworksJunos OS17.1 < 17.1R2-S10, 17.1R3affected
Juniper NetworksJunos OS17.2 < 17.2R1-S8, 17.2R3-S1affected
Juniper NetworksJunos OS17.3 < 17.3R3-S2affected
Juniper NetworksJunos OS17.4 < 17.4R1-S6, 17.4R2-S2affected
Juniper NetworksJunos OS18.1 < 18.1R2-S4, 18.1R3-S1affected
Juniper NetworksJunos OS18.2 < 18.2R1-S5affected
Juniper NetworksJunos OS18.2X75 < 18.2X75-D30affected
Juniper NetworksJunos OS18.3 < 18.3R1-S1affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts

Workarounds

Setting a connection limit on REST API may help mitigate this issue. set system services rest control connection-limit 100

Use access lists or firewall filters to limit API access to the device only from trusted hosts.

ADP Enrichment

CVE Program Container

Additional References

References