A UNIX Symbolic Link (Symlink) Following vulnerability in the CLI of Juniper Networks Junos OS allows a local, authenticated attacker with low privileges to escalate their privileges to root which will lead to a complete compromise of the system.
When after a user has performed a specific file link … CLI operation, another user commits (unrelated configuration changes), the first user can login as root.
This issue affects Junos OS:
- all versions before 23.2R2-S7,
- 23.4 versions before 23.4R2-S6,
- 24.2 versions before 24.2R2-S3,
- 24.4 versions before 24.4R2-S2,
- 25.2 versions before 25.2R2.
This issue does not affect versions 25.4R1 or later.
Weakness
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Junos | Juniper | * | 23.2 (excluding) |
| Junos | Juniper | 23.2 (including) | 23.2 (including) |
| Junos | Juniper | 23.2-r1 (including) | 23.2-r1 (including) |
| Junos | Juniper | 23.2-r1-s1 (including) | 23.2-r1-s1 (including) |
| Junos | Juniper | 23.2-r1-s2 (including) | 23.2-r1-s2 (including) |
| Junos | Juniper | 23.2-r2 (including) | 23.2-r2 (including) |
| Junos | Juniper | 23.2-r2-s1 (including) | 23.2-r2-s1 (including) |
| Junos | Juniper | 23.2-r2-s2 (including) | 23.2-r2-s2 (including) |
| Junos | Juniper | 23.2-r2-s3 (including) | 23.2-r2-s3 (including) |
| Junos | Juniper | 23.2-r2-s4 (including) | 23.2-r2-s4 (including) |
| Junos | Juniper | 23.2-r2-s5 (including) | 23.2-r2-s5 (including) |
| Junos | Juniper | 23.2-r2-s6 (including) | 23.2-r2-s6 (including) |
| Junos | Juniper | 23.4 (including) | 23.4 (including) |
| Junos | Juniper | 23.4-r1 (including) | 23.4-r1 (including) |
| Junos | Juniper | 23.4-r1-s1 (including) | 23.4-r1-s1 (including) |
| Junos | Juniper | 23.4-r1-s2 (including) | 23.4-r1-s2 (including) |
| Junos | Juniper | 23.4-r2 (including) | 23.4-r2 (including) |
| Junos | Juniper | 23.4-r2-s1 (including) | 23.4-r2-s1 (including) |
| Junos | Juniper | 23.4-r2-s2 (including) | 23.4-r2-s2 (including) |
| Junos | Juniper | 23.4-r2-s3 (including) | 23.4-r2-s3 (including) |
| Junos | Juniper | 23.4-r2-s4 (including) | 23.4-r2-s4 (including) |
| Junos | Juniper | 23.4-r2-s5 (including) | 23.4-r2-s5 (including) |
| Junos | Juniper | 24.2 (including) | 24.2 (including) |
| Junos | Juniper | 24.2-r1 (including) | 24.2-r1 (including) |
| Junos | Juniper | 24.2-r1-s1 (including) | 24.2-r1-s1 (including) |
| Junos | Juniper | 24.2-r1-s2 (including) | 24.2-r1-s2 (including) |
| Junos | Juniper | 24.2-r2 (including) | 24.2-r2 (including) |
| Junos | Juniper | 24.2-r2-s1 (including) | 24.2-r2-s1 (including) |
| Junos | Juniper | 24.2-r2-s2 (including) | 24.2-r2-s2 (including) |
| Junos | Juniper | 24.4 (including) | 24.4 (including) |
| Junos | Juniper | 24.4-r1 (including) | 24.4-r1 (including) |
| Junos | Juniper | 24.4-r1-s2 (including) | 24.4-r1-s2 (including) |
| Junos | Juniper | 24.4-r1-s3 (including) | 24.4-r1-s3 (including) |
| Junos | Juniper | 24.4-r2 (including) | 24.4-r2 (including) |
| Junos | Juniper | 24.4-r2-s1 (including) | 24.4-r2-s1 (including) |
| Junos | Juniper | 25.2 (including) | 25.2 (including) |
| Junos | Juniper | 25.2-r1 (including) | 25.2-r1 (including) |
| Junos | Juniper | 25.2-r1-s1 (including) | 25.2-r1-s1 (including) |
| Junos | Juniper | 25.2-r1-s2 (including) | 25.2-r1-s2 (including) |
Potential Mitigations
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.