Insufficient Session Expiration in Juniper Junos OS Evolved



Published: 2020-10-15
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2020-1666
CWE ID CWE-613
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe
Junos OS Evolved
Operating systems & Components / Operating system

Vendor Juniper Networks, Inc.

Security Advisory

This security advisory describes one low risk vulnerability.

1) Insufficient Session Expiration

Risk: Low

CVSSv3: 5.8 [CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2020-1666

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to the system console configuration option "log-out-on-disconnect" fails to log out an active CLI session when the console cable is disconnected. An attacker with physical access can resume a previous interactive session and possibly gain administrative privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Junos OS Evolved: -, 18.4R1-EVO

CPE External links

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11063&cat=SIRT_1&actp=LIST

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.