CVE-2020-1669
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
The Juniper Device Manager (JDM) container, used by the disaggregated Junos OS architecture on Juniper Networks NFX350 Series devices, stores password hashes in the world-readable file /etc/passwd. This is not a security best current practice as it can allow an attacker with access to the local filesystem the ability to brute-force decrypt password hashes stored on the system. This issue affects Juniper Networks Junos OS on NFX350: 19.4 versions prior to 19.4R3; 20.1 versions prior to 20.1R1-S4, 20.1R2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 19.4 < 19.4R3 | affected |
| Juniper Networks | Junos OS | 20.1 < 20.1R1-S4, 20.1R2 | affected |
Weaknesses
- CWE-256: CWE-256 Unprotected Storage of Credentials
Workarounds
Use access lists or firewall filters to limit access to the device only from trusted hosts. Limit shell access to only trusted system administrators.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.