critical
9.6
Advisory Published
Updated

CVE-2018-0057: Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address)

First published: Wed Oct 10 2018(Updated: )

On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile. In the problem scenario, with a hardware-address and IP address configured under address-assignment pool, if a subscriber logging in with DHCP Option 50, the subscriber will not be assigned an available address from the matched pool, but will still get the requested IP address. A malicious DHCP subscriber may be able to utilize this vulnerability to create duplicate IP address assignments, leading to a denial of service for valid subscribers or unauthorized information disclosure via IP address assignment spoofing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S2, 15.1R8; 16.1 versions prior to 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3.

Credit: sirt@juniper.net

Affected SoftwareAffected VersionHow to fix
Juniper Junos=15.1
Juniper Junos=15.1-f2
Juniper Junos=15.1-f3
Juniper Junos=15.1-f4
Juniper Junos=15.1-f5
Juniper Junos=15.1-f6
Juniper Junos=15.1-r1
Juniper Junos=15.1-r2
Juniper Junos=15.1-r3
Juniper Junos=15.1-r4
Juniper Junos=15.1-r5
Juniper Junos=15.1-r6
Juniper Junos=16.1
Juniper Junos=16.1-r1
Juniper Junos=16.1-r2
Juniper Junos=16.1-r3
Juniper Junos=16.2
Juniper Junos=16.2-r1
Juniper Junos=17.1
Juniper Junos=17.1-r1
Juniper Junos=17.2
Juniper Junos=17.3
Juniper Junos=17.3-r1
Juniper Junos=17.4
Juniper Junos=17.4-r1
Juniper Junos=18.1
Juniper Junos=18.1-r1

Remedy

The following software releases have been updated to resolve this specific issue: 15.1R7-S2, 15.1R8, 16.1R4-S12, 16.1R7-S2, 16.1R8, 16.2R2-S7, 16.2R3, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.3R2-S4, 17.3R3, 17.4R2, 18.1R2-S3, 18.1R3, 18.2R1, 18.3R1, and all subsequent releases.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2018-0057?

    CVE-2018-0057 has a severity rating of medium due to its potential for unauthorized access to IP address assignments.

  • How do I fix CVE-2018-0057?

    To fix CVE-2018-0057, it's recommended to upgrade to a version of Junos that does not exhibit this behavior, specifically versions later than those affected.

  • What causes CVE-2018-0057?

    CVE-2018-0057 is caused by a misconfiguration in the DHCP process that allows IP address requests to override MAC address bindings.

  • What platforms are affected by CVE-2018-0057?

    CVE-2018-0057 affects MX Series and M120/M320 platforms running specific versions of Junos.

  • Can CVE-2018-0057 be exploited remotely?

    Yes, CVE-2018-0057 can be exploited remotely through unauthorized DHCP requests from subscribers.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203