FastNetMon Community Edition Juniper NETCONF Configuration Injection Vulnerability

A configuration injection vulnerability has been identified in FastNetMon Community Edition versions through 1.2.9, specifically within the Juniper router integration plugin. The vulnerability arises because the $IP_ATTACK variable, sourced from command-line arguments, is directly inserted into Juniper NETCONF set-configuration commands without any validation or sanitization. This flaw allows an attacker to inject additional Junos CLI commands by embedding newline characters followed by arbitrary set or delete commands. Exploitation of this vulnerability could lead to unauthorized modifications of the router's configuration, including the routing table, firewall filters, and user accounts, potentially resulting in a full compromise of the affected router.

Impact

Successful exploitation allows for full compromise of the affected Juniper router, with the injected commands executed in the same NETCONF session and privileges as the account used by the FastNetMon plugin, typically a privileged operator or super-user.

Reproduction

The vulnerability can be reproduced by controlling the IP address input to the FastNetMon Juniper plugin. This can be done by invoking the plugin with a crafted IP address that includes newline characters and additional Junos commands. Once the plugin processes this input, the injected commands will be executed on the router, exploiting the lack of input validation.

Remediation

Users can validate the IP address format in a wrapper script before calling the FastNetMon Juniper plugin. Additionally, restricting the NETCONF account's privileges can mitigate the impact of any potential exploitation.