CVE-2023-28971
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Summary
An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the timescaledb feature of Juniper Networks Paragon Active Assurance (PAA) (Formerly Netrounds) allows an attacker to bypass existing firewall rules and limitations used to restrict internal communcations. The Test Agents (TA) Appliance connects to the Control Center (CC) using OpenVPN. TA's are assigned an internal IP address in the 100.70.0.0/16 range. Firewall rules exists to limit communication from TA's to the CC to specific services only. OpenVPN is configured to not allow direct communication between Test Agents in the OpenVPN application itself, and routing is normally not enabled on the server running the CC application. The timescaledb feature is installed as an optional package on the Control Center. When the timescaledb container is started, this causes side-effects by bypassing the existing firewall rules and limitations for Test Agent communications. Note: This issue only affects customers hosting their own on-prem Control Center. The Paragon Active Assurance Software as a Service (SaaS) is not affected by this vulnerability since the timescaledb service is not enabled. This issue affects all on-prem versions of Juniper Networks Paragon Active Assurance prior to 4.1.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Paragon Active Assurance | unspecified < 4.1.2 | affected |
Weaknesses
- CWE-923: CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
Workarounds
If the timescaledb feature is not used - disable the service and disable IP forwarding.
root@ncc:# systemctl stop netrounds-timescaledb
root@ncc:# systemctl disable netrounds-timescaledb
root@ncc:~# echo 0 > /proc/sys/net/ipv4/ip_forward
In case timescaledb feature is used - drop forwarded packets by changing default forward policy to drop packets:
Stop running services, to clear dynamic rules ncc services stop openvpn metrics timescaledb
Set default DROP policy for forwarding iptables -P FORWARD DROP ip6tables -P FORWARD DROP
Install iptables-persistent and save rules apt-get install iptables-persistent iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
Restart services ncc services start openvpn metrics timescaledb
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.