CVE-2023-28972

Summary

An Improper Link Resolution Before File Access vulnerability in console port access of Juniper Networks Junos OS on NFX Series allows an attacker to bypass console access controls. When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on NFX Series systems, leading to a possible administrative bypass with physical access to the console. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. This is similar to the vulnerability described in CVE-2019-0035 but affects different platforms and in turn requires a different fix. This issue affects Juniper Networks Junos OS on NFX Series: 19.2 versions prior to 19.2R3-S7; 19.3 versions prior to 19.3R3-S8; 19.4 versions prior to 19.4R3-S12; 20.2 versions prior to 20.2R3-S8; 20.4 versions prior to 20.4R3-S7; 21.1 versions prior to 21.1R3-S5; 21.2 versions prior to 21.2R3-S4; 21.3 versions prior to 21.3R3-S3; 21.4 versions prior to 21.4R3-S2; 22.1 versions prior to 22.1R3-S1; 22.2 versions prior to 22.2R2-S1, 22.2R3; 22.3 versions prior to 22.3R1-S2, 22.3R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS19.2 < 19.2R3-S7affected
Juniper NetworksJunos OS19.3 < 19.3R3-S8affected
Juniper NetworksJunos OS19.4 < 19.4R3-S12affected
Juniper NetworksJunos OS20.2 < 20.2R3-S8affected
Juniper NetworksJunos OS20.4 < 20.4R3-S7affected
Juniper NetworksJunos OS21.1 < 21.1R3-S5affected
Juniper NetworksJunos OS21.2 < 21.2R3-S4affected
Juniper NetworksJunos OS21.3 < 21.3R3-S3affected
Juniper NetworksJunos OS21.4 < 21.4R3-S2affected
Juniper NetworksJunos OS22.1 < 22.1R3-S1affected
Juniper NetworksJunos OS22.2 < 22.2R2-S1, 22.2R3affected
Juniper NetworksJunos OS22.3 < 22.3R1-S2, 22.3R2affected

Weaknesses

  • CWE-59: CWE-59 Improper Link Resolution Before File Access ('Link Following')

Workarounds

Limit console access to the device to only trusted administrators.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References