CVE-2021-31360

Summary

An improper privilege management vulnerability in the Juniper Networks Junos OS and Junos OS Evolved command-line interpreter (CLI) allows a low-privileged user to overwrite local files as root, possibly leading to a system integrity issue or Denial of Service (DoS). Depending on the files overwritten, exploitation of this vulnerability could lead to a sustained Denial of Service (DoS) condition, requiring manual user intervention to recover. Systems are only vulnerable if jdhcpd is running, which can be confirmed via the 'show system processes' command. For example: root@host# run show system processes extensive | match dhcp 26537 root -16 0 97568K 13692K RUN 0 0:01 3.71% jdhcpd This issue affects: Juniper Networks Junos OS: All versions, including the following supported releases: 15.1 versions prior to 15.1R7-S10; 17.4 versions prior to 17.4R3-S5; 18.3 versions prior to 18.3R3-S5; 18.4 versions prior to 18.4R3-S9; 19.1 versions prior to 19.1R3-S6; 19.2 versions prior to 19.2R1-S7, 19.2R3-S3; 19.3 versions prior to 19.3R2-S6, 19.3R3-S3; 19.4 versions prior to 19.4R3-S6; 20.1 versions prior to 20.1R2-S2, 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3; 20.4 versions prior to 20.4R2-S1, 20.4R3; 21.1 versions prior to 21.1R1-S1, 21.1R2. Juniper Networks Junos OS Evolved: All versions prior to 20.4R2-S3-EVO; All versions of 21.1-EVO.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS15.1 < 15.1R7-S10affected
Juniper NetworksJunos OS17.4 < 17.4R3-S5affected
Juniper NetworksJunos OS18.3 < 18.3R3-S5affected
Juniper NetworksJunos OS18.4 < 18.4R3-S9affected
Juniper NetworksJunos OS19.1 < 19.1R3-S6affected
Juniper NetworksJunos OS19.2 < 19.2R1-S7, 19.2R3-S3affected
Juniper NetworksJunos OS19.3 < 19.3R2-S6, 19.3R3-S3affected
Juniper NetworksJunos OS19.4 < 19.4R3-S6affected
Juniper NetworksJunos OS20.1 < 20.1R2-S2, 20.1R3-S1affected
Juniper NetworksJunos OS20.2 < 20.2R3-S2affected
Juniper NetworksJunos OS20.3 < 20.3R3affected
Juniper NetworksJunos OS20.4 < 20.4R2-S1, 20.4R3affected
Juniper NetworksJunos OS21.1 < 21.1R1-S1, 21.1R2affected
Juniper NetworksJunos OS Evolvedunspecified < 20.4R2-S3-EVOaffected
Juniper NetworksJunos OS Evolved21.1R1-EVO < 21.1*affected

Weaknesses

  • CWE-269: CWE-269 Improper Privilege Management
  • CWE-20: CWE-20 Improper Input Validation
  • Denial of Service (DoS)

Workarounds

Use access lists or firewall filters to limit access to the device via CLI only from trusted hosts and from trusted administrators.

ADP Enrichment

CVE Program Container

Additional References

References