CVE-2020-1637
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
A vulnerability in Juniper Networks SRX Series device configured as a Junos OS Enforcer device may allow a user to access network resources that are not permitted by a UAC policy. This issue might occur when the IP address range configured in the Infranet Controller (IC) is configured as an IP address range instead of an IP address/netmask. See the Workaround section for more detail. The Junos OS Enforcer CLI settings are disabled by default. This issue affects Juniper Networks Junos OS on SRX Series: 12.3X48 versions prior to 12.3X48-D100; 15.1X49 versions prior to 15.1X49-D210; 17.3 versions prior to 17.3R2-S5, 17.3R3-S8; 17.4 versions prior to 17.4R2-S9, 17.4R3-S1; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S3; 18.3 versions prior to 18.3R1-S7, 18.3R3-S2; 18.4 versions prior to 18.4R1-S6, 18.4R2-S4, 18.4R3-S1; 19.1 versions prior to 19.1R1-S4, 19.1R2-S1, 19.1R3; 19.2 versions prior to 19.2R1-S3, 19.2R2; 19.3 versions prior to 19.3R2-S1, 19.3R3; 19.4 versions prior to 19.4R1-S1, 19.4R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 12.3X48 < 12.3X48-D100 | affected |
| Juniper Networks | Junos OS | 15.1X49 < 15.1X49-D210 | affected |
| Juniper Networks | Junos OS | 17.3 < 17.3R2-S5, 17.3R3-S8 | affected |
| Juniper Networks | Junos OS | 17.4 < 17.4R2-S9, 17.4R3-S1 | affected |
| Juniper Networks | Junos OS | 18.1 < 18.1R3-S10 | affected |
| Juniper Networks | Junos OS | 18.2 < 18.2R2-S7, 18.2R3-S3 | affected |
| Juniper Networks | Junos OS | 18.3 < 18.3R1-S7, 18.3R3-S2 | affected |
| Juniper Networks | Junos OS | 18.4 < 18.4R1-S6, 18.4R2-S4, 18.4R3-S1 | affected |
| Juniper Networks | Junos OS | 19.1 < 19.1R1-S4, 19.1R2-S1, 19.1R3 | affected |
| Juniper Networks | Junos OS | 19.2 < 19.2R1-S3, 19.2R2 | affected |
| Juniper Networks | Junos OS | 19.3 < 19.3R2-S1, 19.3R3 | affected |
| Juniper Networks | Junos OS | 19.4 < 19.4R1-S1, 19.4R2 | affected |
Weaknesses
- CWE-288: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Workarounds
To avoid this issue, the IP address configuration in the IC Server should be configured as IP address/netmask, rather than an IP address range.
For example: configure 10.0.0.0/25 instead of 10.0.0.1-127.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.