On Juniper Networks EX and QFX Series, an authentication bypass vulnerability may allow a user connected to the console port to login as root without any password. This issue might only occur in certain scenarios: • At the first reboot after performing device factory reset using the command “request system zeroize”; or • A temporary moment during the first reboot after the software upgrade when the device configured in Virtual Chassis mode. This issue affects Juniper Networks Junos OS on EX and QFX Series: 14.1X53 versions prior to 14.1X53-D53; 15.1 versions prior to 15.1R7-S4; 15.1X53 versions prior to 15.1X53-D593; 16.1 versions prior to 16.1R7-S4; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R3-S3; 17.3 versions prior to 17.3R2-S5, 17.3R3-S6; 17.4 versions prior to 17.4R2-S9, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R2; 18.3 versions prior to 18.3R1-S7, 18.3R2. This issue does not affect Juniper Networks Junos OS 12.3.
Metrics
No CVSS v4.0
Attack Vector Physical
Attack Complexity High
Privileges Required None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
User Interaction Required
No CVSS v3.0
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
AV:L/AC:M/Au:N/C:C/I:C/A:C
This CVE is not in the KEV list.
Key SSVC decision points have not yet been added.
Affected Vendors & Products
Vendors | Products |
---|---|
Juniper |
|
Configuration 1 [-]
AND |
|
No data.
References
Link | Providers |
---|---|
https://kb.juniper.net/JSA11001 |
History
No history.
MITRE
Status: PUBLISHED
Assigner: juniper
Published: 2020-04-08T19:25:54.845452Z
Updated: 2024-09-17T01:56:26.005Z
Reserved: 2019-11-04T00:00:00
Link: CVE-2020-1618
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-04-08T20:15:13.403
Modified: 2024-11-21T05:11:00.583
Link: CVE-2020-1618
Redhat
No data.