Juniper Networks Junos OS Missing Authentication Vulnerability Allowing Privileged Local User to Escalate to Root on Linux-Based Line Cards

A vulnerability allowing missing authentication for critical functions has been identified in Juniper Networks Junos OS. This issue affects systems running Junos OS on Linux-based line cards, including various models such as MPC7, MPC8, MPC9, MPC10, MPC11, and several others. The vulnerability allows a privileged local attacker to gain root access on the affected line cards. This access is achieved by executing a script as root during the boot-up process of the line card, without the need for a root password. The vulnerability is present in all versions of Junos OS prior to 22.4R3-S8, as well as specific ranges in versions 23.x, 24.x, and 25.2.

Impact

Exploitation of this vulnerability allows a privileged local user to gain root access on the affected line card, with full control over the card and persistence across reboots. This root access on the line card translates to root access on the entire router, due to low accounting on the Linux-based line cards and the absence of certain security features.

Reproduction

The vulnerability can be reproduced by a local user with high privileges, such as 'shell' or 'maintenance' access. The user can launch a script that is executed as root when the line card boots up, thereby gaining root access. This has been confirmed on Junos OS version 23.4R2-S3.9 on an MX480 router with an MPC10 line card, but other versions and line cards may also be vulnerable.

Remediation

Users can upgrade to Junos OS versions 22.4R3-S8, 23.2R2-S6, 23.4R2-S6, 24.2R2-S3, 24.4R2, 25.2R2, 25.4R1, or any subsequent release to address this vulnerability.