Juniper Networks Session Smart Products Authentication Bypass Vulnerability Allowing Administrative Control

A vulnerability allowing authentication bypass via an alternate path or channel has been identified in Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers. This vulnerability may enable a network-based attacker to bypass authentication and gain administrative control over the affected device. The issue is present in Session Smart Router versions 5.6.7 prior to 5.6.17, 6.0 prior to 6.0.8, 6.1 prior to 6.1.12-lts, 6.2 prior to 6.2.8-lts, and 6.3 prior to 6.3.3-r2. The same version ranges apply to Session Smart Conductor and WAN Assurance Managed Routers.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized users to gain administrative access and control over the affected device.

Remediation

Users are advised to upgrade to Juniper Networks Session Smart Router versions 6.1.12-lts, 6.2.8-lts, 6.3.3-r2, or 5.6.17. In a Conductor-managed deployment, only the Conductor nodes need to be upgraded, as the fix will automatically apply to all connected routers. For WAN Assurance Managed Routers, the vulnerability has been patched automatically on devices connected to the Mist Cloud, but they should still be upgraded to a version containing the fix.