An Execution with Unnecessary Privileges vulnerability in the User Interface (UI) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low-privileged attacker to gain root privileges, thus compromising the system.
When a configuration that allows unsigned Python op scripts is present on the device, a non-root user is able to execute malicious op scripts as a root-equivalent user, leading to privilege escalation.
This issue affects Junos OS:
- All versions before 22.4R3-S7,
- from 23.2 before 23.2R2-S4,
- from 23.4 before 23.4R2-S6,
- from 24.2 before 24.2R1-S2, 24.2R2,
- from 24.4 before 24.4R1-S2, 24.4R2;
Junos OS Evolved:
- All versions before 22.4R3-S7-EVO,
- from 23.2 before 23.2R2-S4-EVO,
- from 23.4 before 23.4R2-S6-EVO,
- from 24.2 before 24.2R2-EVO,
- from 24.4 before 24.4R1-S1-EVO, 24.4R2-EVO.
This issue only affects systems when remote Python3 op scripts are enabled.
[ system scripts language python3]
Starting in Junos OS Evolved Release 21.2R1, the junos-defaults configuration group includes the language python statement by default.
Juniper SIRT is not aware of any malicious exploitation of this vulnerability.
Use access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators.
The following software releases have been updated to resolve this specific issue:
Junos OS Evolved: 22.4R3-S7-EVO, 23.2R2-S4-EVO, 23.4R2-S6-EVO, 24.2R2-EVO, 24.4R1-S1-EVO, 24.4R2-EVO, 25.2R1-EVO and all subsequent releases.
Junos OS: 22.4R3-S7, 23.2R2-S4, 23.4R2-S6, 24.2R1-S2, 24.2R2, 24.4R1-S2, 24.4R2, 25.2R1 and all subsequent releases.