Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
0

Junos Space: Malicious HTTP packets sent to Junos Space allow an attacker to view all files on the device.

Disclosure Date: January 15, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.

Add Assessment

6
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

This is a low-risk, high-gain vulnerability, exploiting a path inclusion (which is basically on the same impact as the Citrix ADC (Netscaler) path traversal bug). Though it’s probably less likely to find these sitting on the public internet.

PoC from Jin Wook Kim
@wugeej

https://twitter.com/wugeej/status/1222762164626186242

[PoC] Juniper Junos Space Local File Inclusion (CVE-2020-1611)

- GET Param:
 (1) Set "Format" to "txt"
 (2) Set "FileUrl" to a local path

- /ect/passwd
GET /mainui/download?X-CSRF=Y581SFvK....53107455361&FileUrl=/etc/passwd&Format=txt&nod... HTTP/1.1
3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

The vulnerability allows a malicious actor access to any files within the system via a local file inclusion. This isn’t a vulnerability that requires a heap of knowledge, just enough to craft the http request. It’s also vulnerable in a series of versions prior to the release of 19.4R1. Though these systems aren’t commonly found.

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • juniper

Products

  • junos space 17.1,
  • junos space 17.2,
  • junos space 18.1,
  • junos space 18.2,
  • junos space 18.3,
  • junos space 18.4,
  • junos space 19.1,
  • junos space 19.2,
  • junos space 19.3

Additional Info

Technical Analysis