high
7.2
CWE
923
Advisory Published
Updated

CVE-2023-28971: Paragon Active Assurance: Enabling the timescaledb enables IP forwarding

First published: Mon Apr 17 2023(Updated: )

An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the timescaledb feature of Juniper Networks Paragon Active Assurance (PAA) (Formerly Netrounds) allows an attacker to bypass existing firewall rules and limitations used to restrict internal communcations. The Test Agents (TA) Appliance connects to the Control Center (CC) using OpenVPN. TA's are assigned an internal IP address in the 100.70.0.0/16 range. Firewall rules exists to limit communication from TA's to the CC to specific services only. OpenVPN is configured to not allow direct communication between Test Agents in the OpenVPN application itself, and routing is normally not enabled on the server running the CC application. The timescaledb feature is installed as an optional package on the Control Center. When the timescaledb container is started, this causes side-effects by bypassing the existing firewall rules and limitations for Test Agent communications. Note: This issue only affects customers hosting their own on-prem Control Center. The Paragon Active Assurance Software as a Service (SaaS) is not affected by this vulnerability since the timescaledb service is not enabled. This issue affects all on-prem versions of Juniper Networks Paragon Active Assurance prior to 4.1.2.

Credit: sirt@juniper.net

Affected SoftwareAffected VersionHow to fix
Juniper Networks Paragon Active Assurance<4.1.2

Remedy

The following software releases have been updated to resolve this specific issue: 4.1.2, 4.2.0, and all subsequent releases.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-28971?

    CVE-2023-28971 is classified as a high severity vulnerability.

  • How do I fix CVE-2023-28971?

    To mitigate CVE-2023-28971, update Juniper's Paragon Active Assurance to version 4.1.2 or higher.

  • What impact does CVE-2023-28971 have on my network?

    CVE-2023-28971 allows an attacker to bypass firewall rules, potentially compromising network security.

  • Which versions of Juniper Paragon Active Assurance are affected by CVE-2023-28971?

    CVE-2023-28971 affects all versions of Juniper Paragon Active Assurance below 4.1.2.

  • Is CVE-2023-28971 actively exploited in the wild?

    As of now, there is no public information indicating that CVE-2023-28971 is actively exploited in the wild.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203