CVE-2018-0052: Junos OS: Unauthenticated remote root access possible when RSH service is enabled
First published: Wed Oct 10 2018(Updated: )
If RSH service is enabled on Junos OS and if the PAM authentication is disabled, a remote unauthenticated attacker can obtain root access to the device. RSH service is disabled by default on Junos. There is no documented CLI command to enable this service. However, an undocumented CLI command allows a privileged Junos user to enable RSH service and disable PAM, and hence expose the system to unauthenticated root access. When RSH is enabled, the device is listing to RSH connections on port 514. This issue is not exploitable on platforms where Junos release is based on FreeBSD 10+. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D75 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on QFX/EX Series; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D131, 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400 Series; 15.1X53 versions prior to 15.1X53-D67 on QFX10K Series; 15.1X53 versions prior to 15.1X53-D233 on QFX5200/QFX5110 Series; 15.1X53 versions prior to 15.1X53-D471, 15.1X53-D490 on NFX Series; 16.1 versions prior to 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7; 16.2 versions prior to 16.2R2-S5; 17.1 versions prior to 17.1R1-S7, 17.1R2-S7, 17.1R3; 17.2 versions prior to 17.2R1-S6, 17.2R2-S4, 17.2R3; 17.2X75 versions prior to 17.2X75-D110, 17.2X75-D91; 17.3 versions prior to 17.3R1-S4, 17.3R2-S2, 17.3R3; 17.4 versions prior to 17.4R1-S3, 17.4R2; 18.2X75 versions prior to 18.2X75-D5.
Credit: sirt@juniper.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Junos OS Evolved | =12.1x46 | |
| Junos OS Evolved | =12.1x46-d10 | |
| Junos OS Evolved | =12.1x46-d15 | |
| Junos OS Evolved | =12.1x46-d20 | |
| Junos OS Evolved | =12.1x46-d25 | |
| Junos OS Evolved | =12.1x46-d30 | |
| Junos OS Evolved | =12.1x46-d35 | |
| Junos OS Evolved | =12.1x46-d40 | |
| Junos OS Evolved | =12.1x46-d45 | |
| Junos OS Evolved | =12.1x46-d50 | |
| Junos OS Evolved | =12.1x46-d55 | |
| Junos OS Evolved | =12.1x46-d60 | |
| Junos OS Evolved | =12.1x46-d65 | |
| Junos OS Evolved | =12.3 | |
| Junos OS Evolved | =12.3-r1 | |
| Junos OS Evolved | =12.3-r11 | |
| Junos OS Evolved | =12.3-r2 | |
| Junos OS Evolved | =12.3-r3 | |
| Junos OS Evolved | =12.3-r4 | |
| Junos OS Evolved | =12.3-r5 | |
| Junos OS Evolved | =12.3-r6 | |
| Junos OS Evolved | =12.3-r7 | |
| Junos OS Evolved | =12.3-r8 | |
| Junos OS Evolved | =12.3-r9 | |
| Junos OS Evolved | =12.3x48 | |
| Junos OS Evolved | =12.3x48-d10 | |
| Junos OS Evolved | =12.3x48-d15 | |
| Junos OS Evolved | =12.3x48-d20 | |
| Junos OS Evolved | =12.3x48-d25 | |
| Junos OS Evolved | =12.3x48-d30 | |
| Junos OS Evolved | =12.3x48-d35 | |
| Junos OS Evolved | =12.3x48-d40 | |
| Junos OS Evolved | =12.3x48-d45 | |
| Junos OS Evolved | =12.3x48-d50 | |
| Junos OS Evolved | =12.3x48-d55 | |
| Junos OS Evolved | =12.3x48-d60 | |
| Junos OS Evolved | =12.3x48-d65 | |
| Junos OS Evolved | =12.3x48-d70 | |
| Junos OS Evolved | =14.1x53 | |
| Junos OS Evolved | =14.1x53-d10 | |
| Junos OS Evolved | =14.1x53-d121 | |
| Junos OS Evolved | =14.1x53-d15 | |
| Junos OS Evolved | =14.1x53-d16 | |
| Junos OS Evolved | =14.1x53-d25 | |
| Junos OS Evolved | =14.1x53-d26 | |
| Junos OS Evolved | =14.1x53-d27 | |
| Junos OS Evolved | =14.1x53-d30 | |
| Junos OS Evolved | =14.1x53-d35 | |
| Junos OS Evolved | =14.1x53-d40 | |
| Junos OS Evolved | =14.1x53-d42 | |
| Junos OS Evolved | =14.1x53-d43 | |
| Junos OS Evolved | =14.1x53-d44 | |
| Junos OS Evolved | =14.1x53-d45 | |
| Junos OS Evolved | =14.1x53-d46 | |
| Junos OS Evolved | =15.1 | |
| Junos OS Evolved | =15.1-r1 | |
| Junos OS Evolved | =15.1-r2 | |
| Junos OS Evolved | =15.1-r3 | |
| Junos OS Evolved | =15.1-r6-s6 | |
| Junos OS Evolved | =15.1-r7 | |
| Junos OS Evolved | =15.1x49 | |
| Junos OS Evolved | =15.1x49-d10 | |
| Junos OS Evolved | =15.1x49-d100 | |
| Junos OS Evolved | =15.1x49-d110 | |
| Junos OS Evolved | =15.1x49-d120 | |
| Junos OS Evolved | =15.1x49-d140 | |
| Junos OS Evolved | =15.1x49-d20 | |
| Junos OS Evolved | =15.1x49-d30 | |
| Junos OS Evolved | =15.1x49-d35 | |
| Junos OS Evolved | =15.1x49-d40 | |
| Junos OS Evolved | =15.1x49-d45 | |
| Junos OS Evolved | =15.1x49-d50 | |
| Junos OS Evolved | =15.1x49-d55 | |
| Junos OS Evolved | =15.1x49-d60 | |
| Junos OS Evolved | =15.1x49-d65 | |
| Junos OS Evolved | =15.1x49-d70 | |
| Junos OS Evolved | =15.1x49-d75 | |
| Junos OS Evolved | =15.1x49-d80 | |
| Junos OS Evolved | =15.1x49-d90 | |
| Junos OS Evolved | =15.1x53 | |
| Junos OS Evolved | =15.1x53-d50 | |
| Junos OS Evolved | =15.1x53-d51 | |
| Junos OS Evolved | =15.1x53-d52 | |
| Junos OS Evolved | =15.1x53-d55 | |
| Junos OS Evolved | =15.1x53-d57 | |
| Junos OS Evolved | =15.1x53-d58 | |
| Juniper EX2300-24T | ||
| Juniper EX3400 | ||
| Junos OS Evolved | =15.1x53-d10 | |
| Junos OS Evolved | =15.1x53-d20 | |
| Junos OS Evolved | =15.1x53-d21 | |
| Junos OS Evolved | =15.1x53-d30 | |
| Junos OS Evolved | =15.1x53-d32 | |
| Junos OS Evolved | =15.1x53-d33 | |
| Junos OS Evolved | =15.1x53-d34 | |
| Junos OS Evolved | =15.1x53-d60 | |
| Junos OS Evolved | =15.1x53-d61 | |
| Junos OS Evolved | =15.1x53-d62 | |
| Junos OS Evolved | =15.1x53-d63 | |
| Junos OS Evolved | =15.1x53-d64 | |
| Junos OS Evolved | =15.1x53-d65 | |
| Junos OS Evolved | =15.1x53-d66 | |
| Juniper Networks QFX-Series | ||
| Junos OS Evolved | =15.1x53-d210 | |
| Junos OS Evolved | =15.1x53-d230 | |
| Junos OS Evolved | =15.1x53-d231 | |
| Junos OS Evolved | =15.1x53-d232 | |
| Juniper QFX5110 | ||
| Juniper QFX5200-32C | ||
| Junos OS Evolved | =15.1x53-d40 | |
| Junos OS Evolved | =15.1x53-d45 | |
| Junos OS Evolved | =15.1x53-d490 | |
| Juniper NFX | ||
| Juniper NFX | ||
| Junos OS Evolved | =16.1 | |
| Junos OS Evolved | =16.1-r1 | |
| Junos OS Evolved | =16.1-r2 | |
| Junos OS Evolved | =16.1-r3 | |
| Junos OS Evolved | =16.1-r4-s9 | |
| Junos OS Evolved | =16.1-r5-s4 | |
| Junos OS Evolved | =16.1-r6-s4 | |
| Junos OS Evolved | =16.1-r7 | |
| Junos OS Evolved | =16.2 | |
| Junos OS Evolved | =16.2-r1 | |
| Junos OS Evolved | =17.1 | |
| Junos OS Evolved | =17.1-r2-s7 | |
| Junos OS Evolved | =17.1-r3 | |
| Junos OS Evolved | =17.2 | |
| Junos OS Evolved | =17.2-r1 | |
| Junos OS Evolved | =17.2-r2 | |
| Junos OS Evolved | =17.2x75 | |
| Junos OS Evolved | =17.2x75-d91 | |
| Junos OS Evolved | =17.3 | |
| Junos OS Evolved | =17.3-r2-s2 | |
| Junos OS Evolved | =17.3-r3 | |
| Junos OS Evolved | =17.4 | |
| Junos OS Evolved | =17.4-r2 | |
| Junos OS Evolved | =18.2x75 |
Remedy
This CLI option has been removed from the fixed Junos releases. The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D75, 14.1X53-D47, 15.1R4-S9, 15.1R6-S6, 15.1R7, 15.1X49-D131, 15.1X49-D140, 15.1X53-D233, 15.1X53-D471, 15.1X53-D490, 15.1X53-D59, 15.1X53-D67, 16.1R3-S9, 16.1R4-S9, 16.1R5-S4, 16.1R6-S4, 16.1R7, 16.2R2-S5, 17.1R1-S7, 17.1R2-S7, 17.1R3, 17.2R1-S6, 17.2R2-S4, 17.2R3, 17.2X75-D110, 17.2X75-D91, 17.3R1-S4, 17.3R2-S2, 17.3R3, 17.4R1-S3, 17.4R2, 18.1R1, 18.2R1, 18.2X75-D5, and all subsequent releases.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2018-0052?
CVE-2018-0052 has a high severity rating due to the potential for root access by unauthenticated remote attackers.
How do I fix CVE-2018-0052?
To mitigate CVE-2018-0052, disable the RSH service if it is enabled and ensure PAM authentication is configured properly.
Which versions of Junos OS are affected by CVE-2018-0052?
CVE-2018-0052 affects several versions of Junos OS, including 12.1x46 and multiple releases of 12.3, 14.1x53, and later versions up to 17.4.
Is the RSH service enabled by default on Junos OS, according to CVE-2018-0052?
No, the RSH service is disabled by default on Junos OS, but it can be enabled through undocumented methods.
Who can exploit CVE-2018-0052?
CVE-2018-0052 can be exploited by remote unauthenticated attackers who can access the device remotely.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/title
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/juniper
- canonical/junos os evolved
- version/junos os evolved/12.1x46
- version/junos os evolved/12.1x46-d10
- version/junos os evolved/12.1x46-d15
- version/junos os evolved/12.1x46-d20
- version/junos os evolved/12.1x46-d25
- version/junos os evolved/12.1x46-d30
- version/junos os evolved/12.1x46-d35
- version/junos os evolved/12.1x46-d40
- version/junos os evolved/12.1x46-d45
- version/junos os evolved/12.1x46-d50
- version/junos os evolved/12.1x46-d55
- version/junos os evolved/12.1x46-d60
- version/junos os evolved/12.1x46-d65
- version/junos os evolved/12.3
- version/junos os evolved/12.3-r1
- version/junos os evolved/12.3-r11
- version/junos os evolved/12.3-r2
- version/junos os evolved/12.3-r3
- version/junos os evolved/12.3-r4
- version/junos os evolved/12.3-r5
- version/junos os evolved/12.3-r6
- version/junos os evolved/12.3-r7
- version/junos os evolved/12.3-r8
- version/junos os evolved/12.3-r9
- version/junos os evolved/12.3x48
- version/junos os evolved/12.3x48-d10
- version/junos os evolved/12.3x48-d15
- version/junos os evolved/12.3x48-d20
- version/junos os evolved/12.3x48-d25
- version/junos os evolved/12.3x48-d30
- version/junos os evolved/12.3x48-d35
- version/junos os evolved/12.3x48-d40
- version/junos os evolved/12.3x48-d45
- version/junos os evolved/12.3x48-d50
- version/junos os evolved/12.3x48-d55
- version/junos os evolved/12.3x48-d60
- version/junos os evolved/12.3x48-d65
- version/junos os evolved/12.3x48-d70
- version/junos os evolved/14.1x53
- version/junos os evolved/14.1x53-d10
- version/junos os evolved/14.1x53-d121
- version/junos os evolved/14.1x53-d15
- version/junos os evolved/14.1x53-d16
- version/junos os evolved/14.1x53-d25
- version/junos os evolved/14.1x53-d26
- version/junos os evolved/14.1x53-d27
- version/junos os evolved/14.1x53-d30
- version/junos os evolved/14.1x53-d35
- version/junos os evolved/14.1x53-d40
- version/junos os evolved/14.1x53-d42
- version/junos os evolved/14.1x53-d43
- version/junos os evolved/14.1x53-d44
- version/junos os evolved/14.1x53-d45
- version/junos os evolved/14.1x53-d46
- version/junos os evolved/15.1
- version/junos os evolved/15.1-r1
- version/junos os evolved/15.1-r2
- version/junos os evolved/15.1-r3
- version/junos os evolved/15.1-r6-s6
- version/junos os evolved/15.1-r7
- version/junos os evolved/15.1x49
- version/junos os evolved/15.1x49-d10
- version/junos os evolved/15.1x49-d100
- version/junos os evolved/15.1x49-d110
- version/junos os evolved/15.1x49-d120
- version/junos os evolved/15.1x49-d140
- version/junos os evolved/15.1x49-d20
- version/junos os evolved/15.1x49-d30
- version/junos os evolved/15.1x49-d35
- version/junos os evolved/15.1x49-d40
- version/junos os evolved/15.1x49-d45
- version/junos os evolved/15.1x49-d50
- version/junos os evolved/15.1x49-d55
- version/junos os evolved/15.1x49-d60
- version/junos os evolved/15.1x49-d65
- version/junos os evolved/15.1x49-d70
- version/junos os evolved/15.1x49-d75
- version/junos os evolved/15.1x49-d80
- version/junos os evolved/15.1x49-d90
- version/junos os evolved/15.1x53
- version/junos os evolved/15.1x53-d50
- version/junos os evolved/15.1x53-d51
- version/junos os evolved/15.1x53-d52
- version/junos os evolved/15.1x53-d55
- version/junos os evolved/15.1x53-d57
- version/junos os evolved/15.1x53-d58
- canonical/juniper ex2300-24t
- canonical/juniper ex3400
- version/junos os evolved/15.1x53-d10
- version/junos os evolved/15.1x53-d20
- version/junos os evolved/15.1x53-d21
- version/junos os evolved/15.1x53-d30
- version/junos os evolved/15.1x53-d32
- version/junos os evolved/15.1x53-d33
- version/junos os evolved/15.1x53-d34
- version/junos os evolved/15.1x53-d60
- version/junos os evolved/15.1x53-d61
- version/junos os evolved/15.1x53-d62
- version/junos os evolved/15.1x53-d63
- version/junos os evolved/15.1x53-d64
- version/junos os evolved/15.1x53-d65
- version/junos os evolved/15.1x53-d66
- canonical/juniper networks qfx-series
- version/junos os evolved/15.1x53-d210
- version/junos os evolved/15.1x53-d230
- version/junos os evolved/15.1x53-d231
- version/junos os evolved/15.1x53-d232
- canonical/juniper qfx5110
- canonical/juniper qfx5200-32c
- version/junos os evolved/15.1x53-d40
- version/junos os evolved/15.1x53-d45
- version/junos os evolved/15.1x53-d490
- canonical/juniper nfx
- version/junos os evolved/16.1
- version/junos os evolved/16.1-r1
- version/junos os evolved/16.1-r2
- version/junos os evolved/16.1-r3
- version/junos os evolved/16.1-r4-s9
- version/junos os evolved/16.1-r5-s4
- version/junos os evolved/16.1-r6-s4
- version/junos os evolved/16.1-r7
- version/junos os evolved/16.2
- version/junos os evolved/16.2-r1
- version/junos os evolved/17.1
- version/junos os evolved/17.1-r2-s7
- version/junos os evolved/17.1-r3
- version/junos os evolved/17.2
- version/junos os evolved/17.2-r1
- version/junos os evolved/17.2-r2
- version/junos os evolved/17.2x75
- version/junos os evolved/17.2x75-d91
- version/junos os evolved/17.3
- version/junos os evolved/17.3-r2-s2
- version/junos os evolved/17.3-r3
- version/junos os evolved/17.4
- version/junos os evolved/17.4-r2
- version/junos os evolved/18.2x75