CVE-2019-0035: Junos OS: 'set system ports console insecure' allows root password recovery on OAM volumes
First published: Wed Apr 10 2019(Updated: )
When "set system ports console insecure" is enabled, root login is disallowed for Junos OS as expected. However, the root password can be changed using "set system root-authentication plain-text-password" on systems booted from an OAM (Operations, Administration, and Maintenance) volume, leading to a possible administrative bypass with physical access to the console. OAM volumes (e.g. flash drives) are typically instantiated as /dev/gpt/oam, or /oam for short. Password recovery, changing the root password from a console, should not have been allowed from an insecure console. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D496, 15.1X53-D68; 16.1 versions prior to 16.1R3-S10, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S8; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S3; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R2; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S2. This issue does not affect Junos OS releases prior to 15.1.
Credit: sirt@juniper.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Juniper JUNOS | =15.1-f2 | |
| Juniper JUNOS | =15.1-f3 | |
| Juniper JUNOS | =15.1-f4 | |
| Juniper JUNOS | =15.1-f5 | |
| Juniper JUNOS | =15.1-f6 | |
| Juniper JUNOS | =15.1-f7 | |
| Juniper JUNOS | =15.1-r1 | |
| Juniper JUNOS | =15.1-r2 | |
| Juniper JUNOS | =15.1-r3 | |
| Juniper JUNOS | =15.1-r4 | |
| Juniper JUNOS | =15.1-r5 | |
| Juniper JUNOS | =15.1-r6 | |
| Juniper JUNOS | =15.1x49-d10 | |
| Juniper JUNOS | =15.1x49-d100 | |
| Juniper JUNOS | =15.1x49-d110 | |
| Juniper JUNOS | =15.1x49-d120 | |
| Juniper JUNOS | =15.1x49-d130 | |
| Juniper JUNOS | =15.1x49-d150 | |
| Juniper JUNOS | =15.1x49-d20 | |
| Juniper JUNOS | =15.1x49-d30 | |
| Juniper JUNOS | =15.1x49-d35 | |
| Juniper JUNOS | =15.1x49-d40 | |
| Juniper JUNOS | =15.1x49-d45 | |
| Juniper JUNOS | =15.1x49-d50 | |
| Juniper JUNOS | =15.1x49-d60 | |
| Juniper JUNOS | =15.1x49-d65 | |
| Juniper JUNOS | =15.1x49-d70 | |
| Juniper JUNOS | =15.1x49-d75 | |
| Juniper JUNOS | =15.1x49-d80 | |
| Juniper JUNOS | =15.1x49-d90 | |
| Juniper JUNOS | =15.1x53-d10 | |
| Juniper JUNOS | =15.1x53-d20 | |
| Juniper JUNOS | =15.1x53-d21 | |
| Juniper JUNOS | =15.1x53-d210 | |
| Juniper JUNOS | =15.1x53-d230 | |
| Juniper JUNOS | =15.1x53-d231 | |
| Juniper JUNOS | =15.1x53-d232 | |
| Juniper JUNOS | =15.1x53-d233 | |
| Juniper JUNOS | =15.1x53-d25 | |
| Juniper JUNOS | =15.1x53-d30 | |
| Juniper JUNOS | =15.1x53-d32 | |
| Juniper JUNOS | =15.1x53-d33 | |
| Juniper JUNOS | =15.1x53-d34 | |
| Juniper JUNOS | =15.1x53-d40 | |
| Juniper JUNOS | =15.1x53-d45 | |
| Juniper JUNOS | =15.1x53-d495 | |
| Juniper JUNOS | =15.1x53-d56 | |
| Juniper JUNOS | =15.1x53-d60 | |
| Juniper JUNOS | =15.1x53-d61 | |
| Juniper JUNOS | =15.1x53-d62 | |
| Juniper JUNOS | =15.1x53-d63 | |
| Juniper JUNOS | =16.1-r1 | |
| Juniper JUNOS | =16.1-r2 | |
| Juniper JUNOS | =16.1-r3 | |
| Juniper JUNOS | =16.1-r4 | |
| Juniper JUNOS | =16.1-r5 | |
| Juniper JUNOS | =16.1-r6 | |
| Juniper JUNOS | =16.1-r7 | |
| Juniper JUNOS | =17.3-r1 | |
| Juniper JUNOS | =17.3-r2 | |
| Juniper JUNOS | =17.3-r3 | |
| Juniper JUNOS | =17.2-r1 | |
| Juniper JUNOS | =17.2-r1-s7 | |
| Juniper JUNOS | =17.2-r2 | |
| Juniper JUNOS | =17.2-r3 | |
| Juniper JUNOS | =17.4-r1 | |
| Juniper JUNOS | =17.4-r1-s7 | |
| Juniper JUNOS | =17.4-r2 | |
| Juniper JUNOS | =18.1-r1 | |
| Juniper JUNOS | =18.1-r2 | |
| Juniper JUNOS | =18.1-r3-s2 | |
| Juniper JUNOS | =18.2-r1 | |
| Juniper JUNOS | =18.2-r1-s3 | |
| Juniper JUNOS | =18.3-r1 | |
| Juniper JUNOS | =18.3-r1-s1 | |
| Juniper JUNOS | =18.2x75 | |
| Juniper JUNOS | =16.1x65-d30 | |
| Juniper JUNOS | =16.1x65-d35 | |
| Juniper JUNOS | =16.1x65-d40 | |
| Juniper JUNOS | =17.1-r1 | |
| Juniper JUNOS | =17.1-r2 | |
| Juniper JUNOS | =16.2-r1 | |
| Juniper JUNOS | =16.2-r2 | |
| Juniper JUNOS | =16.2-r2-s7 |
Remedy
The following software releases have been updated to resolve this specific issue: Junos OS 15.1F6-S12, 15.1R7-S3, 15.1X49-D160, 15.1X53-D236, 15.1X53-D496, 15.1X53-D68, 16.1R3-S10, 16.1R6-S6, 16.1R7-S3, 16.1X65-D49, 16.2R2-S8, 17.1R2-S10, 17.1R3, 17.2R1-S8, 17.2R3-S1, 17.3R3-S3, 17.4R1-S6, 17.4R2-S2, 18.1R2-S4, 18.1R3-S3, 18.2R2, 18.2X75-D40, 18.3R1-S2, 18.4R1, and all subsequent releases.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/severity
- agent/last-modified-date
- agent/title
- agent/author
- agent/references
- agent/first-publish-date
- agent/event
- agent/tags
- agent/description
- vendor/juniper
- canonical/juniper junos
- version/juniper junos/15.1-f2
- version/juniper junos/15.1-f3
- version/juniper junos/15.1-f4
- version/juniper junos/15.1-f5
- version/juniper junos/15.1-f6
- version/juniper junos/15.1-f7
- version/juniper junos/15.1-r1
- version/juniper junos/15.1-r2
- version/juniper junos/15.1-r3
- version/juniper junos/15.1-r4
- version/juniper junos/15.1-r5
- version/juniper junos/15.1-r6
- version/juniper junos/15.1x49-d10
- version/juniper junos/15.1x49-d100
- version/juniper junos/15.1x49-d110
- version/juniper junos/15.1x49-d120
- version/juniper junos/15.1x49-d130
- version/juniper junos/15.1x49-d150
- version/juniper junos/15.1x49-d20
- version/juniper junos/15.1x49-d30
- version/juniper junos/15.1x49-d35
- version/juniper junos/15.1x49-d40
- version/juniper junos/15.1x49-d45
- version/juniper junos/15.1x49-d50
- version/juniper junos/15.1x49-d60
- version/juniper junos/15.1x49-d65
- version/juniper junos/15.1x49-d70
- version/juniper junos/15.1x49-d75
- version/juniper junos/15.1x49-d80
- version/juniper junos/15.1x49-d90
- version/juniper junos/15.1x53-d10
- version/juniper junos/15.1x53-d20
- version/juniper junos/15.1x53-d21
- version/juniper junos/15.1x53-d210
- version/juniper junos/15.1x53-d230
- version/juniper junos/15.1x53-d231
- version/juniper junos/15.1x53-d232
- version/juniper junos/15.1x53-d233
- version/juniper junos/15.1x53-d25
- version/juniper junos/15.1x53-d30
- version/juniper junos/15.1x53-d32
- version/juniper junos/15.1x53-d33
- version/juniper junos/15.1x53-d34
- version/juniper junos/15.1x53-d40
- version/juniper junos/15.1x53-d45
- version/juniper junos/15.1x53-d495
- version/juniper junos/15.1x53-d56
- version/juniper junos/15.1x53-d60
- version/juniper junos/15.1x53-d61
- version/juniper junos/15.1x53-d62
- version/juniper junos/15.1x53-d63
- version/juniper junos/16.1-r1
- version/juniper junos/16.1-r2
- version/juniper junos/16.1-r3
- version/juniper junos/16.1-r4
- version/juniper junos/16.1-r5
- version/juniper junos/16.1-r6
- version/juniper junos/16.1-r7
- version/juniper junos/17.3-r1
- version/juniper junos/17.3-r2
- version/juniper junos/17.3-r3
- version/juniper junos/17.2-r1
- version/juniper junos/17.2-r1-s7
- version/juniper junos/17.2-r2
- version/juniper junos/17.2-r3
- version/juniper junos/17.4-r1
- version/juniper junos/17.4-r1-s7
- version/juniper junos/17.4-r2
- version/juniper junos/18.1-r1
- version/juniper junos/18.1-r2
- version/juniper junos/18.1-r3-s2
- version/juniper junos/18.2-r1
- version/juniper junos/18.2-r1-s3
- version/juniper junos/18.3-r1
- version/juniper junos/18.3-r1-s1
- version/juniper junos/18.2x75
- version/juniper junos/16.1x65-d30
- version/juniper junos/16.1x65-d35
- version/juniper junos/16.1x65-d40
- version/juniper junos/17.1-r1
- version/juniper junos/17.1-r2
- version/juniper junos/16.2-r1
- version/juniper junos/16.2-r2
- version/juniper junos/16.2-r2-s7