Juniper Firewall Update Opens Root Level Account

A vulnerability has been discovered within the update process in Juniper OS which allows an attacker to gain root access with no authentication. The vulnerability affects Juniper SRX firewalls that are running Junos OS prior to 12.1X46-D65.

Threat ID:: CC-1096
Category:
Threat Severity:: Low
Threat Vector:
Published:: 19 January 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

The problem lies within the mechanisms designed to help users recover from a catastrophic failure whereby the device drops into safe mode, offering full root access to the device with the login ‘root’ and no password. All existing credentials are wiped from the system leaving the open root account the only way to access the system. Juniper released a new version of the OS which initially appeared to resolve the flaw. However, if the device has already been updated to an affected version, the issue will not be resolved and a full restore of the device is the only method of recovery. It is worth noting that in order to exploit this vulnerability, physical access to the target system is required.

Affected products:
Juniper SRX Firewalls running Junos OS releases prior to 12.1X46-D65

For further information please see:

CVE-2016-1278

Remediation steps

Type	Step
	Ensure any Juniper SRX Firewalls receive the latest available patches. Identify any firewalls that may have been upgraded to an affected release and ensure these are rebooted and upgraded. Make sure all accounts are placed back into a password protected state. Ensure a multilayered security approach is taken to offer protection across the network from physical access controls, host based and network based intrusion etc.

Type

Step

Ensure any Juniper SRX Firewalls receive the latest available patches.

Identify any firewalls that may have been upgraded to an affected release and ensure these are rebooted and upgraded. Make sure all accounts are placed back into a password protected state.

Ensure a multilayered security approach is taken to offer protection across the network from physical access controls, host based and network based intrusion etc.

CVE Vulnerabilities

Status

CVE-2016-1278

Last edited: 17 February 2020 11:33 am