CVE Vulnerabilities

CVE-2020-1631

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Published: May 04, 2020 | Modified: Jan 11, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) or path traversal. Using this vulnerability, an attacker may be able to inject commands into the httpd.log, read files with world readable permission file or obtain J-Web session tokens. In the case of command injection, as the HTTP service runs as user nobody, the impact of this command injection is limited. (CVSS score 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) In the case of reading files with world readable permission, in Junos OS 19.3R1 and above, the unauthenticated attacker would be able to read the configuration file. (CVSS score 5.9, vector CVSS:3.1/ AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) If J-Web is enabled, the attacker could gain the same level of access of anyone actively logged into J-Web. If an administrator is logged in, the attacker could gain administrator access to J-Web. (CVSS score 8.8, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled. Junos OS devices with HTTP/HTTPS services disabled are not affected. If HTTP/HTTPS services are enabled, the following command will show the httpd processes: user@device> show system processes | match http 5260 - S 0:00.13 /usr/sbin/httpd-gk -N 5797 - I 0:00.10 /usr/sbin/httpd –config /jail/var/etc/httpd.conf To summarize: If HTTP/HTTPS services are disabled, there is no impact from this vulnerability. If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). If J-Web is enabled, this vulnerability has a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Juniper SIRT has received a single report of this vulnerability being exploited in the wild. Out of an abundance of caution, we are notifying customers so they can take appropriate actions. Indicators of Compromise: The /var/log/httpd.log may have indicators that commands have injected or files being accessed. The device administrator can look for these indicators by searching for the string patterns =;& or %3b& in /var/log/httpd.log, using the following command: user@device> show log httpd.log | match =;&|=%3b& If this command returns any output, it might be an indication of malicious attempts or simply scanning activities. Rotated logs should also be reviewed, using the following command: user@device> show log httpd.log.0.gz | match =;&|=%3b& user@device> show log httpd.log.1.gz | match =;&|=%3b& Note that a skilled attacker would likely remove these entries from the local log file, thus effectively eliminating any reliable signature that the device had been attacked. This issue affects Juniper Networks Junos OS 12.3 versions prior to 12.3R12-S16; 12.3X48 versions prior to 12.3X48-D101, 12.3X48-D105; 14.1X53 versions prior to 14.1X53-D54; 15.1 versions prior to 15.1R7-S7; 15.1X49 versions prior to 15.1X49-D211, 15.1X49-D220; 16.1 versions prior to 16.1R7-S8; 17.2 versions prior to 17.2R3-S4; 17.3 versions prior to 17.3R3-S8; 17.4 versions prior to 17.4R2-S11, 17.4R3-S2; 18.1 versions prior to 18.1R3-S10; 18.2 versions prior to 18.2R2-S7, 18.2R3-S4; 18.3 versions prior to 18.3R2-S4, 18.3R3-S2; 18.4 versions prior to 18.4R1-S7, 18.4R3-S2 ; 18.4 version 18.4R2 and later versions; 19.1 versions prior to 19.1R1-S5, 19.1R3-S1; 19.1 version 19.1R2 and later versions; 19.2 versions prior to 19.2R2; 19.3 versions prior to 19.3R2-S3, 19.3R3; 19.4 versions prior to 19.4R1-S2, 19.4R2; 20.1 versions prior to 20.1R1-S1, 20.1R2.

Weakness

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Software

Name Vendor Start Version End Version
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 12.3 12.3
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1 15.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 14.1x53 14.1x53
Junos Juniper 14.1x53 14.1x53
Junos Juniper 16.1 16.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1 15.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1 15.1
Junos Juniper 12.3 12.3
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 12.3 12.3
Junos Juniper 15.1 15.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 17.2 17.2
Junos Juniper 16.1 16.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 16.1 16.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 12.3 12.3
Junos Juniper 15.1 15.1
Junos Juniper 16.1 16.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1 15.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 17.2 17.2
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 16.1 16.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 16.1 16.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1x49 15.1x49
Junos Juniper 12.3x48 12.3x48
Junos Juniper 16.1 16.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 17.2 17.2
Junos Juniper 15.1x49 15.1x49
Junos Juniper 12.3x48 12.3x48
Junos Juniper 12.3x48 12.3x48
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 16.1 16.1
Junos Juniper 16.1 16.1
Junos Juniper 16.1 16.1
Junos Juniper 17.3 17.3
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1x49 15.1x49
Junos Juniper 17.3 17.3
Junos Juniper 15.1 15.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 14.1x53 14.1x53
Junos Juniper 18.1 18.1
Junos Juniper 15.1 15.1
Junos Juniper 17.2 17.2
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1x49 15.1x49
Junos Juniper 16.1 16.1
Junos Juniper 18.1 18.1
Junos Juniper 16.1 16.1
Junos Juniper 17.2 17.2
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 12.3x48 12.3x48
Junos Juniper 17.4 17.4
Junos Juniper 17.2 17.2
Junos Juniper 17.2 17.2
Junos Juniper 17.2 17.2
Junos Juniper 17.4 17.4
Junos Juniper 12.3x48 12.3x48
Junos Juniper 15.1x49 15.1x49
Junos Juniper 18.2 18.2
Junos Juniper 18.2 18.2
Junos Juniper 18.2 18.2
Junos Juniper 18.2 18.2
Junos Juniper 18.3 18.3
Junos Juniper 17.2 17.2
Junos Juniper 17.3 17.3
Junos Juniper 17.3 17.3
Junos Juniper 17.4 17.4
Junos Juniper 17.3 17.3
Junos Juniper 18.3 18.3
Junos Juniper 18.3 18.3
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 18.1 18.1
Junos Juniper 15.1 15.1
Junos Juniper 15.1 15.1
Junos Juniper 18.4 18.4
Junos Juniper 17.4 17.4
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 15.1 15.1
Junos Juniper 16.1 16.1
Junos Juniper 17.2 17.2
Junos Juniper 17.3 17.3
Junos Juniper 12.3 12.3
Junos Juniper 12.3x48 12.3x48
Junos Juniper 14.1x53 14.1x53
Junos Juniper 15.1x49 15.1x49
Junos Juniper 18.3 18.3
Junos Juniper 18.3 18.3
Junos Juniper 18.4 18.4
Junos Juniper 17.4 17.4
Junos Juniper 18.1 18.1
Junos Juniper 17.3 17.3
Junos Juniper 17.3 17.3
Junos Juniper 17.4 17.4
Junos Juniper 12.3 12.3
Junos Juniper 16.1 16.1
Junos Juniper 17.4 17.4
Junos Juniper 18.4 18.4
Junos Juniper 15.1x49 15.1x49
Junos Juniper 15.1x49 15.1x49
Junos Juniper 17.3 17.3
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 18.3 18.3
Junos Juniper 17.2 17.2
Junos Juniper 18.2 18.2
Junos Juniper 18.2 18.2
Junos Juniper 14.1x53 14.1x53
Junos Juniper 17.2 17.2
Junos Juniper 18.2 18.2
Junos Juniper 17.2 17.2
Junos Juniper 12.3x48 12.3x48
Junos Juniper 18.4 18.4
Junos Juniper 18.4 18.4
Junos Juniper 18.4 18.4
Junos Juniper 19.1 19.1
Junos Juniper 19.1 19.1
Junos Juniper 17.3 17.3
Junos Juniper 16.1 16.1
Junos Juniper 16.1 16.1
Junos Juniper 17.2 17.2
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 19.2 19.2
Junos Juniper 18.4 18.4
Junos Juniper 18.2 18.2
Junos Juniper 18.1 18.1
Junos Juniper 18.1 18.1
Junos Juniper 19.1 19.1
Junos Juniper 19.1 19.1
Junos Juniper 19.1 19.1
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 15.1 15.1
Junos Juniper 17.3 17.3
Junos Juniper 15.1 15.1
Junos Juniper 16.1 16.1
Junos Juniper 18.2 18.2
Junos Juniper 18.2 18.2
Junos Juniper 18.4 18.4
Junos Juniper 15.1 15.1
Junos Juniper 19.2 19.2
Junos Juniper 19.2 19.2
Junos Juniper 18.3 18.3
Junos Juniper 18.2 18.2
Junos Juniper 15.1x49 15.1x49
Junos Juniper 16.1 16.1
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 16.1 16.1
Junos Juniper 16.1 16.1
Junos Juniper 16.1 16.1
Junos Juniper 17.3 17.3
Junos Juniper 14.1x53 14.1x53
Junos Juniper 18.3 18.3
Junos Juniper 18.3 18.3
Junos Juniper 17.4 17.4
Junos Juniper 12.3 12.3
Junos Juniper 12.3 12.3
Junos Juniper 18.4 18.4
Junos Juniper 17.2 17.2
Junos Juniper 19.3 19.3
Junos Juniper 19.3 19.3
Junos Juniper 19.2 19.2
Junos Juniper 18.4 18.4
Junos Juniper 18.3 18.3
Junos Juniper 18.2 18.2
Junos Juniper 18.1 18.1
Junos Juniper 14.1x53 14.1x53
Junos Juniper 19.2 19.2
Junos Juniper 18.3 18.3
Junos Juniper 16.1 16.1
Junos Juniper 19.4 19.4
Junos Juniper 19.3 19.3
Junos Juniper 18.4 18.4
Junos Juniper 18.4 18.4
Junos Juniper 18.3 18.3
Junos Juniper 18.1 18.1
Junos Juniper 17.3 17.3
Junos Juniper 15.1x49 15.1x49
Junos Juniper 19.3 19.3
Junos Juniper 19.3 19.3
Junos Juniper 20.1 20.1
Junos Juniper 19.4 19.4
Junos Juniper 19.3 19.3
Junos Juniper 19.1 19.1
Junos Juniper 18.4 18.4
Junos Juniper 18.3 18.3
Junos Juniper 18.2 18.2
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 17.4 17.4
Junos Juniper 17.2 17.2
Junos Juniper 16.1 16.1
Junos Juniper 15.1x49 15.1x49
Junos Juniper 14.1x53 14.1x53
Junos Juniper 12.3x48 12.3x48
Junos Juniper 12.3x48 12.3x48
Junos Juniper 12.3x48 12.3x48
Junos Juniper 12.3 12.3

Extended Description

Many file operations are intended to take place within a restricted directory. By using special elements such as “..” and “/” separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. One of the most common special elements is the “../” sequence, which in most modern operating systems is interpreted as the parent directory of the current location. This is referred to as relative path traversal. Path traversal also covers the use of absolute pathnames such as “/usr/local/bin”, which may also be useful in accessing unexpected files. This is referred to as absolute path traversal. In many programming languages, the injection of a null byte (the 0 or NUL) may allow an attacker to truncate a generated filename to widen the scope of attack. For example, the product may add “.txt” to any pathname, thus limiting the attacker to text files, but a null injection may effectively remove this restriction.

Potential Mitigations

  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.

  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”

  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

  • When validating filenames, use stringent allowlists that limit the character set to be used. If feasible, only allow a single “.” character in the filename to avoid weaknesses such as CWE-23, and exclude directory separators such as “/” to avoid CWE-36. Use a list of allowable file extensions, which will help to avoid CWE-434.

  • Do not rely exclusively on a filtering mechanism that removes potentially dangerous characters. This is equivalent to a denylist, which may be incomplete (CWE-184). For example, filtering “/” is insufficient protection if the filesystem also supports the use of “" as a directory separator. Another possible error could occur when the filtering is applied in a way that still produces dangerous data (CWE-182). For example, if “../” sequences are removed from the “…/…//” string in a sequential fashion, two instances of “../” would be removed from the original string, but the remaining characters would still form the “../” string.

  • Inputs should be decoded and canonicalized to the application’s current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.

  • Use a built-in path canonicalization function (such as realpath() in C) that produces the canonical version of the pathname, which effectively removes “..” sequences and symbolic links (CWE-23, CWE-59). This includes:

  • When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.

  • For example, ID 1 could map to “inbox.txt” and ID 2 could map to “profile.txt”. Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.

  • Run the code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.

  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.

  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.

  • Be careful to avoid CWE-243 and other weaknesses related to jails.

  • Store library, include, and utility files outside of the web document root, if possible. Otherwise, store them in a separate directory and use the web server’s access control capabilities to prevent attackers from directly requesting them. One common practice is to define a fixed constant in each calling program, then check for the existence of the constant in the library/include file; if the constant does not exist, then the file was directly requested, and it can exit immediately.

  • This significantly reduces the chance of an attacker being able to bypass any protection mechanisms that are in the base program but not in the include files. It will also reduce the attack surface.

  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.

  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.

  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.

  • In the context of path traversal, error messages which disclose path information can help attackers craft the appropriate attack strings to move through the file system hierarchy.

References