Insufficient Session Expiration in Juniper Junos OS Evolved



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-1666
CWE-ID CWE-613
Exploitation vector Local
Public exploit N/A
Vulnerable software
Junos OS Evolved
Operating systems & Components / Operating system

Vendor Juniper Networks, Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Insufficient Session Expiration

EUVDB-ID: #VU47668

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-1666

CWE-ID: CWE-613 - Insufficient Session Expiration

Exploit availability: No

Description

The vulnerability allows a local attacker to gain access to sensitive information.

The vulnerability exists due to the system console configuration option "log-out-on-disconnect" fails to log out an active CLI session when the console cable is disconnected. An attacker with physical access can resume a previous interactive session and possibly gain administrative privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Junos OS Evolved: 18.4R1-EVO

CPE2.3 External links

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA11063&cat=SIRT_1&actp=LIST


Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###