CVE-2017-10624 - OpenCVE

Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1.

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:H/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Juniper	Junos Space

Configuration 1 [-]

cpe:2.3:o:juniper:junos_space:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/101255	Third Party Advisory VDB Entry
https://kb.juniper.net/JSA10826	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: juniper

Published: 2017-10-11T00:00:00

Updated: 2017-10-14T09:57:01

Reserved: 2017-06-28T00:00:00

Link: CVE-2017-10624

JSON object: View

NVD Information

Status : Modified

Published: 2017-10-13T17:29:01.080

Modified: 2019-10-09T23:21:42.963

Link: CVE-2017-10624

JSON object: View

Redhat Information

No data.

CWE

CWE-345

{"containers": {"cna": {"affected": [{"product": "Junos Space", "vendor": "Juniper Networks", "versions": [{"status": "affected", "version": "versions prior to 17.1R1"}]}], "configurations": [{"lang": "en", "value": "This vulnerability is relevant to Junos Space devices configured in cluster mode."}], "datePublic": "2017-10-11T00:00:00", "descriptions": [{"lang": "en", "value": "Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "insufficient verification", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-14T09:57:01", "orgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "shortName": "juniper"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://kb.juniper.net/JSA10826"}, {"name": "101255", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101255"}], "title": "Junos Space: Insufficient verification of node certificates.", "workarounds": [{"lang": "en", "value": "There are no viable workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts."}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "sirt@juniper.net", "DATE_PUBLIC": "2017-10-11T09:00", "ID": "CVE-2017-10624", "STATE": "PUBLIC", "TITLE": "Junos Space: Insufficient verification of node certificates."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Junos Space", "version": {"version_data": [{"platform": "", "version_value": "versions prior to 17.1R1"}]}}]}, "vendor_name": "Juniper Networks"}]}}, "configuration": [{"lang": "en", "value": "This vulnerability is relevant to Junos Space devices configured in cluster mode."}], "credit": [], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1."}]}, "exploit": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability.", "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "insufficient verification"}]}]}, "references": {"reference_data": [{"name": "https://kb.juniper.net/JSA10826", "refsource": "CONFIRM", "url": "https://kb.juniper.net/JSA10826"}, {"name": "101255", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101255"}]}, "solution": "The following software releases have been updated to resolve this specific issue: 17.1R1, and all subsequent releases.\n\nThis issue is being tracked as PR 1176959 and is visible on the Customer Support website.", "work_around": [{"lang": "en", "value": "There are no viable workarounds for this issue.\nIt is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device from trusted, administrative networks or hosts."}]}}}, "cveMetadata": {"assignerOrgId": "8cbe9d5a-a066-4c94-8978-4b15efeae968", "assignerShortName": "juniper", "cveId": "CVE-2017-10624", "datePublished": "2017-10-11T00:00:00", "dateReserved": "2017-06-28T00:00:00", "dateUpdated": "2017-10-14T09:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:juniper:junos_space:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CAE38A6-2DC8-41A1-A36B-F17457099600", "versionEndIncluding": "16.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Insufficient verification of node certificates in Juniper Networks Junos Space may allow a man-in-the-middle type of attacker to make unauthorized modifications to Space database or add nodes. Affected releases are Juniper Networks Junos Space all versions prior to 17.1R1."}, {"lang": "es", "value": "Verificaci\u00f3n insuficiente de los certificados de los nodos en Juniper Networks Junos Space puede permitir que un tipo de atacante Man-in-the-Middle (MitM) realice modificaciones no autorizadas a la base de datos Space o a\u00f1ada nodos. Las distribuciones afectadas son: Juniper Networks Junos Space en todas sus versiones anteriores a la 17.1R1."}], "id": "CVE-2017-10624", "lastModified": "2019-10-09T23:21:42.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "sirt@juniper.net", "type": "Secondary"}]}, "published": "2017-10-13T17:29:01.080", "references": [{"source": "sirt@juniper.net", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101255"}, {"source": "sirt@juniper.net", "tags": ["Vendor Advisory"], "url": "https://kb.juniper.net/JSA10826"}], "sourceIdentifier": "sirt@juniper.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "nvd@nist.gov", "type": "Primary"}]}