Junos OS and Junos OS Evolved update for cURL



Published: 2024-04-12
Risk High
Patch available YES
Number of vulnerabilities 9
CVE-ID CVE-2023-38545
CVE-2023-38546
CVE-2023-23914
CVE-2023-23915
CVE-2020-8284
CVE-2020-8285
CVE-2020-8286
CVE-2018-1000120
CVE-2018-1000122
CWE-ID CWE-122
CWE-73
CWE-319
CWE-200
CWE-674
CWE-299
CWE-126
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe 		Juniper Junos OS
Operating systems & Components / Operating system

Junos OS Evolved
Operating systems & Components / Operating system

Vendor Juniper Networks, Inc.

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU81865

Risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2023-38545

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the SOCKS5 proxy handshake. A remote attacker can trick the victim to visit a malicious website, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that SOCKS5 proxy is used and that SOCKS5 handshake is slow (e.g. under heavy load or DoS attack).

Mitigation

Install update from vendor's website.

Vulnerable software versions

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) External control of file name or path

EUVDB-ID: #VU81863

Risk: Low

CVSSv3.1: 2.3 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38546

CWE-ID: CWE-73 - External Control of File Name or Path

Exploit availability: No

Description

The vulnerability allows an attacker to inject arbitrary cookies into request.

The vulnerability exists due to the way cookies are handled by libcurl. If a transfer has cookies enabled when the handle is duplicated, the cookie-enable state is also cloned - but without cloning the actual cookies. If the source handle did not read any cookies from a specific file on disk, the cloned version of the handle would instead store the file name as none (using the four ASCII letters, no quotes).

Subsequent use of the cloned handle that does not explicitly set a source to load cookies from would then inadvertently load cookies from a file named none - if such a file exists and is readable in the current directory of the program using libcurl.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cleartext transmission of sensitive information

EUVDB-ID: #VU72335

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23914

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to state issues when handling multiple requests, which results in ignoring HSTS support. A remote attacker can perform MitM attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Cleartext transmission of sensitive information

EUVDB-ID: #VU72336

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23915

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to state issues when handling multiple transfers in parallel, which results in ignoring HSTS support. A remote attacker can perform MitM attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Information disclosure

EUVDB-ID: #VU48893

Risk: Medium

CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8284

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the way cURL handles PASV responses. A remote attacker with control over malicious FTP server can use the PASV response to trick curl into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Uncontrolled Recursion

EUVDB-ID: #VU48894

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8285

CWE-ID: CWE-674 - Uncontrolled Recursion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due tu uncontrolled recursion when processing FTP responses within the wildcard matching functionality, which allows a callback (set with <a href="https://curl.se/libcurl/c/CURLOPT_CHUNK_BGN_FUNCTION.html">CURLOPT_CHUNK_BGN_FUNCTION</a>) to return information back to libcurl on how to handle a specific entry in a directory when libcurl iterates over a list of all available entries. A remote attacker who controls the malicious FTP server can trick the victim to connect to it and crash the application, which is using the affected libcurl version.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper Check for Certificate Revocation

EUVDB-ID: #VU48895

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8286

CWE-ID: CWE-299 - Improper Check for Certificate Revocation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to incorrectly implemented checks for OCSP stapling. A remote attacker can provide a fraudulent OCSP response that would appear fine, instead of the real one.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

Juniper Junos OS: before 24.1R1

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Heap-based buffer overflow

EUVDB-ID: #VU11111

Risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000120

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to heap-based buffer overflow. A remote attacker that can control the paths that curl uses for FTP can create specially crafted path names containing the control characters '%00', trigger memory corruption and execute arbitrary code.


Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Buffer over-read

EUVDB-ID: #VU11108

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1000122

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition.

The weakness exists due to buffer over-read. A remote attacker can cause the target application to trigger a buffer copy error in processing RTSP URLs and cause the application to crash or access potentially sensitive information on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Junos OS Evolved: 21.4R1-EVO - 22.4R2-EVO

External links

http://supportportal.juniper.net/s/article/2024-04-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-Multiple-cURL-vulnerabilities-resolved


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###