Very High
Junos Space: Malicious HTTP packets sent to Junos Space allow an attacker to view all files on the device.
Junos Space: Malicious HTTP packets sent to Junos Space allow an attacker to view all files on the device.
Description
A Local File Inclusion vulnerability in Juniper Networks Junos Space allows an attacker to view all files on the target when the device receives malicious HTTP packets. This issue affects: Juniper Networks Junos Space versions prior to 19.4R1.
Add Assessment
Technical Analysis
This is a low-risk, high-gain vulnerability, exploiting a path inclusion (which is basically on the same impact as the Citrix ADC (Netscaler) path traversal bug). Though it’s probably less likely to find these sitting on the public internet.
PoC from Jin Wook Kim
@wugeej
https://twitter.com/wugeej/status/1222762164626186242
[PoC] Juniper Junos Space Local File Inclusion (CVE-2020-1611) - GET Param: (1) Set "Format" to "txt" (2) Set "FileUrl" to a local path - /ect/passwd GET /mainui/download?X-CSRF=Y581SFvK....53107455361&FileUrl=/etc/passwd&Format=txt&nod... HTTP/1.1
Technical Analysis
The vulnerability allows a malicious actor access to any files within the system via a local file inclusion. This isn’t a vulnerability that requires a heap of knowledge, just enough to craft the http request. It’s also vulnerable in a series of versions prior to the release of 19.4R1. Though these systems aren’t commonly found.
CVSS V3 Severity and Metrics
General Information
Vendors
- juniper
Products
- junos space 17.1,
- junos space 17.2,
- junos space 18.1,
- junos space 18.2,
- junos space 18.3,
- junos space 18.4,
- junos space 19.1,
- junos space 19.2,
- junos space 19.3
