CVE-2022-22154 - External Control of Critical State Data

Severity

68%

Complexity

9%

Confidentiality

98%

In a Junos Fusion scenario an External Control of Critical State Data vulnerability in the Satellite Device (SD) control state machine of Juniper Networks Junos OS allows an attacker who is able to make physical changes to the cabling of the device to cause a denial of service (DoS). An SD can get rebooted and subsequently controlled by an Aggregation Device (AD) which does not belong to the original Fusion setup and is just connected to an extended port of the SD. To carry out this attack the attacker needs to have physical access to the cabling between the SD and the original AD. This issue affects: Juniper Networks Junos OS 16.1R1 and later versions prior to 18.4R3-S10; 19.1 versions prior to 19.1R3-S7; 19.2 versions prior to 19.2R3-S4. This issue does not affect Juniper Networks Junos OS versions prior to 16.1R1.

CVSS 3.1 Base Score 6.8. CVSS Attack Vector: physical. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS 2.0 Base Score 4.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

External Control of Critical State Data

CWE-642

In the following example, an authentication flag is read from a browser cookie, thus allowing for external control of user state data.


               
}
}
authenticated = true;

External Control of Critical State Data

CWE-642

The following code uses input from an HTTP request to create a file name. The programmer has not considered the possibility that an attacker could provide a file name such as "../../tomcat/conf/server.xml", which causes the application to delete one of its own configuration files (CWE-22).


               
rFile.delete();

External Control of Critical State Data

CWE-642

The following code uses input from a configuration file to determine which file to open and echo back to the user. If the program runs with privileges and malicious users can change the configuration file, they can use the program to read any file on the system that ends with the extension .txt.


               
out.println(arr);

External Control of Critical State Data

CWE-642

External Control of Critical State Data

CWE-642

This code prints all of the running processes belonging to the current user.


               
system($command);//assume getCurrentUser() returns a username that is guaranteed to be alphanumeric (CWE-78)

This program is also vulnerable to a PATH based attack (CWE-426), as an attacker may be able to create malicious versions of the ps or grep commands. While the program does not explicitly raise privileges to run the system commands, the PHP interpreter may by default be running with higher privileges than users.

External Control of Critical State Data

CWE-642

The following code segment implements a basic server that uses the "ls" program to perform a directory listing of the directory that is listed in the "HOMEDIR" environment variable. The code intends to allow the user to specify an alternate "LANG" environment variable. This causes "ls" to customize its output based on a given language, which is an important capability when supporting internationalization.


               
}
}
$ENV{$1} = $2;
close($fh);
SendOutput($stream, "FILEINFO: $_");

The programmer takes care to call a specific "ls" program and sets the HOMEDIR to a fixed value. However, an attacker can use a command such as "ENV HOMEDIR /secret/directory" to specify an alternate directory, enabling a path traversal attack (CWE-22). At the same time, other attacks are enabled as well, such as OS command injection (CWE-78) by setting HOMEDIR to a value such as "/tmp; rm -rf /". In this case, the programmer never intends for HOMEDIR to be modified, so input validation for HOMEDIR is not the solution. A partial solution would be a whitelist that only allows the LANG variable to be specified in the ENV command. Alternately, assuming this is an authenticated user, the language could be stored in a local file so that no ENV command at all would be needed.

While this example may not appear realistic, this type of problem shows up in code fairly frequently. See CVE-1999-0073 in the observed examples for a real-world example with similar behaviors.

Overview

Type

Juniper

First reported 3 years ago

2022-01-19 01:15:00

Last updated 3 years ago

2022-01-28 19:53:00

Affected Software

Juniper JunOS 16.1 R1

16.1

Juniper JunOS 16.1 R2

16.1

Juniper JunOS 16.1 R3

16.1

Juniper Junos 16.1 R3-S10

16.1

Juniper Junos OS 16.1 R3-S11

16.1

Juniper JunOS 16.1 R4

16.1

Juniper JUNOS 16.1 R4-S12

16.1

Juniper JUNOS 16.1 R4-S2

16.1

Juniper Junos 16.1 R4-S3

16.1

Juniper Junos 16.1 R4-S4

16.1

Juniper JUNOS 16.1 R4-S6

16.1

Juniper Junos 16.1 R5

16.1

Juniper Junos 16.1 R5-S4

16.1

Juniper Junos 16.1 R6-S1

16.1

Juniper Junos 16.1 R6-s6

16.1

Juniper Junos 16.1 R7

16.1

Juniper JUNOS 16.1 R7-S2

16.1

Juniper JUNOS 16.1 R7-S3

16.1

Juniper JUNOS 16.1R7-S4

16.1

Juniper JUNOS 16.1R7-S5

16.1

Juniper JUNOS 16.1 R7-S6

16.1

Juniper JUNOS 16.1 R7-S7

16.1

Juniper JUNOS 16.1X65

16.1x65

Juniper Junos OS 16.1X65

16.1x65

Juniper JUNOS 16.1X65-D48

16.1x65

Juniper JUNOS 16.1x70

16.1x70

Juniper JUNOS 16.2

16.2

Juniper JunOS 16.2 R1

16.2

Juniper JunOS 16.2 R2

16.2

Juniper Junos 16.2 R2-S1

16.2

Juniper JUNOS 16.2 R2-S10

16.2

Juniper JUNOS 16.2 R2-S2

16.2

Juniper Junos 16.2 R2-S5

16.2

Juniper JUNOS 16.2 R2-S6

16.2

Juniper JUNOS 16.2 R2-S7

16.2

Juniper JUNOS 16.2R2-S8

16.2

Juniper JUNOS 16.2 R2-S9

16.2

Juniper JUNOS 16.2R3

16.2

Juniper JUNOS 17.1

17.1

Juniper JunOS 17.1 R1

17.1

Juniper Junos 17.1 R2

17.1

Juniper Junos 17.1 R2-S1

17.1

Juniper JUNOS 17.1 R2-S10

17.1

Juniper JUNOS 17.1 R2-S11

17.1

Juniper JUNOS 17.1 R2-S2

17.1

Juniper JUNOS 17.1 R2-S3

17.1

Juniper JUNOS 17.1 R2-S4

17.1

Juniper JUNOS 17.1 R2-S5

17.1

Juniper JUNOS 17.1 R2-S6

17.1

Juniper Junos 17.1 R2-S7

17.1

Juniper Junos OS 17.1 R2-S8

17.1

Juniper JunOS 17.1 R2-s9

17.1

Juniper JUNOS 17.1 R3-S1

17.1

Juniper JUNOS 17.2

17.2

Juniper Junos 17.2 R1

17.2

Juniper JUNOS 17.2 R1-s1

17.2

Juniper JUNOS 17.2 R1-S2

17.2

Juniper JUNOS 17.2 R1-s3

17.2

Juniper JUNOS 17.2 R1-S4

17.2

Juniper JUNOS 17.2 R1-s5

17.2

Juniper Junos 17.2 R1-S7

17.2

Juniper JUNOS 17.2 R1-S8

17.2

Juniper Junos 17.2 R2

17.2

Juniper JUNOS 17.2 R2-S11

17.2

Juniper JUNOS 17.2 R2-S6

17.2

Juniper JUNOS 17.2 R2-S7

17.2

Juniper JUNOS 17.2R3-S1

17.2

Juniper JUNOS 17.2 R3-S2

17.2

Juniper JUNOS 17.2 R3-S3

17.2

Juniper JUNOS 17.2X75

17.2x75

Juniper Junos OS 17.2X75

17.2x75

Juniper JUNOS 17.2X75-D102

17.2x75

Juniper Junos 17.2x75 D110

17.2x75

Juniper Junos 17.2x75 D50

17.2x75

Juniper Junos 17.2x75 D70

17.2x75

Juniper JUNOS 17.2X75-D92

17.2x75

Juniper JUNOS 17.3

17.3

Juniper JUNOS 17.3 R1-S1

17.3

Juniper Junos 17.3 R2

17.3

Juniper JUNOS 17.3 R2-S1

17.3

Juniper JUNOS 17.3R2-S2

17.3

Juniper Junos OS 17.3 R2-S3

17.3

Juniper JUNOS 17.3 R2-S4

17.3

Juniper JunOS 17.3 R3

17.3

Juniper JUNOS 17.3 R3-S1

17.3

Juniper JUNOS 17.3 R3-S2

17.3

Juniper JUNOS 17.3 R3-S3

17.3

Juniper JUNOS 17.3R3-S4

17.3

Juniper JUNOS 17.3 R3-S7

17.3

Juniper JUNOS 17.4

17.4

Juniper Junos 17.4 R1

17.4

Juniper JUNOS 17.4 R1-S1

17.4

Juniper JUNOS 17.4 R1-S2

17.4

Juniper JUNOS 17.4R1-S4

17.4

Juniper JunOS 17.4 R1-s5

17.4

Juniper JUNOS 17.4 R1-S6

17.4

Juniper JUNOS 17.4R1-S7

17.4

Juniper Junos 17.4 R2

17.4

Juniper JUNOS 17.4 R2-S1

17.4

Juniper JUNOS 17.4 R2-S10

17.4

Juniper Junos 17.4 R2-S2

17.4

Juniper JUNOS 17.4 R2-S3

17.4

Juniper JUNOS 17.4R2-S4

17.4

Juniper JUNOS 17.4 R2-S5

17.4

Juniper JUNOS 17.4 R2-S6

17.4

Juniper JUNOS 17.4 R2-S7

17.4

Juniper JUNOS 17.4 R2-S8

17.4

Juniper JUNOS 17.4 R2-S9

17.4

Juniper JUNOS 17.4 R3

17.4

Juniper JUNOS 17.4 R3-S1

17.4

Juniper JUNOS 18.1

18.1

Juniper JUNOS 18.1R2

18.1

Juniper JUNOS R2-S1

18.1

Juniper JUNOS R2-S2

18.1

Juniper JUNOS 18.1 R2-S4

18.1

Juniper JUNOS 18.1 R3

18.1

Juniper JunOS 18.1 R3-s1

18.1

Juniper JUNOS 18.1 R3-S2

18.1

Juniper JUNOS 18.1 R3-S3

18.1

Juniper JUNOS 18.1R3-S4

18.1

Juniper JUNOS 18.1 R3-S6

18.1

Juniper JUNOS 18.1 R3-S7

18.1

Juniper JUNOS 18.1 R3-S8

18.1

Juniper JUNOS 18.1 R3-S9

18.1

Juniper JUNOS 18.1x75 -

18.1x75

Juniper JUNOS 18.1x75 D10

18.1x75

Juniper JUNOS 18.2

18.2

Juniper JunOS 18.2 R1

18.2

Juniper JunOS 18.2 R1-S3

18.2

Juniper JUNOS 18.2 R1-S5

18.2

Juniper JUNOS 18.2 R2-S1

18.2

Juniper JUNOS 18.2R2-S2

18.2

Juniper JUNOS 18.2R2-S3

18.2

Juniper JUNOS18.2 R2-S4

18.2

Juniper JUNOS 18.2 R2-S5

18.2

Juniper JUNOS 18.2 R2-S6

18.2

Juniper JUNOS 18.2R3

18.2

Juniper JUNOS 18.2 R3-S1

18.2

Juniper JUNOS 18.2 R3-S2

18.2

Juniper JUNOS 18.2 R3-S3

18.2

Juniper JUNOS 18.2X75

18.2x75

Juniper Junos 18.2x75 -

18.2x75

Juniper JUNOS 18.2x75 D20

18.2x75

Juniper JUNOS 18.2x75 D30

18.2x75

Juniper JUNOS 18.2X75-D40

18.2x75

Juniper JunOS 18.2x75-d10

18.2x75-d10

Juniper JUNOS 18.3

18.3

Juniper JUNOS 18.3 R1

18.3

Juniper JUNOS 18.3 R1-S1

18.3

Juniper JUNOS 18.3 R1-S2

18.3

Juniper JUNOS 18.3R1-S3

18.3

Juniper JUNOS 18.3 R1-S5

18.3

Juniper JUNOS 18.3 R1-S6

18.3

Juniper JUNOS 18.3 R2

18.3

Juniper JUNOS 18.3 R2-S1

18.3

Juniper JUNOS 18.3 R2-S2

18.3

Juniper JUNOS 18.3 R2-S3

18.3

Juniper JUNOS 18.3 R3

18.3

Juniper JUNOS 18.3 R3-S1

18.3

Juniper JUNOS 18.4

18.4

Juniper JunOS 18.4 R1

18.4

Juniper Junos OS 18.4 R1-S1

18.4

Juniper JUNOS 18.4R1-S2

18.4

Juniper JUNOS 18.4 R1-S5

18.4

Juniper JUNOS 18.4 R1-S6

18.4

Juniper JUNOS 18.4R2

18.4

Juniper JUNOS 18.4 R2-S1

18.4

Juniper JUNOS 18.4 R2-S2

18.4

Juniper JUNOS 18.4 R2-S3

18.4

Juniper Junos OS 19.1

19.1

Juniper Junos OS 19.1 R1

19.1

Juniper Junos OS 19.1 R1-s1

19.1

Juniper JUNOS 19.1 R1-S2

19.1

Juniper JUNOS 19.1 R1-S3

19.1

Juniper JUNOS 19.1 R1-S4

19.1

Juniper Junos OS 19.1 R2

19.1

Juniper Junos OS 19.2

19.2

Juniper Junos OS 19.2 R1

19.2

Juniper JUNOS 19.2 R1-S1

19.2

Juniper JUNOS 19.2 R1-S2

19.2

Juniper JUNOS 19.2 R1-S3

19.2

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.