Vulnerability Name:

CVE-2018-0057 (CCN-151047)

Assigned:2017-11-16
Published:2018-10-10
Updated:2019-10-09
Summary:On MX Series and M120/M320 platforms configured in a Broadband Edge (BBE) environment, subscribers logging in with DHCP Option 50 to request a specific IP address will be assigned the requested IP address, even if there is a static MAC to IP address binding in the access profile. In the problem scenario, with a hardware-address and IP address configured under address-assignment pool, if a subscriber logging in with DHCP Option 50, the subscriber will not be assigned an available address from the matched pool, but will still get the requested IP address. A malicious DHCP subscriber may be able to utilize this vulnerability to create duplicate IP address assignments, leading to a denial of service for valid subscribers or unauthorized information disclosure via IP address assignment spoofing. Affected releases are Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S2, 15.1R8; 16.1 versions prior to 16.1R4-S12, 16.1R7-S2, 16.1R8; 16.2 versions prior to 16.2R2-S7, 16.2R3; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 versions prior to 17.3R2-S4, 17.3R3; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2-S3, 18.1R3.
CVSS v3 Severity:9.6 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H)
8.3 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Adjacent
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Partial
4.8 Medium (CCN CVSS v2 Vector: AV:A/AC:L/Au:N/C:P/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Adjacent_Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-0057

Source: XF
Type: UNKNOWN
juniper-junos-cve20180057-dos(151047)

Source: CCN
Type: Juniper Networks Security Bulletin JSA10892
Junos OS: authd allows assignment of IP address requested by DHCP subscriber logging in with Option 50 (Requested IP Address) (CVE-2018-0057)

Source: CONFIRM
Type: Vendor Advisory
https://kb.juniper.net/JSA10892

Vulnerable Configuration:Configuration 1:
  • cpe:/o:juniper:junos:15.1:*:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:f2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:f3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:f4:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:f5:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:f6:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r3:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r4:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r5:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:r6:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:juniper:junos:16.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:16.1:r1:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:16.1:r2:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:16.1:r3:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:juniper:junos:16.2:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:16.2:r1:*:*:*:*:*:*

  • Configuration 4:
  • cpe:/o:juniper:junos:17.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.1:r1:*:*:*:*:*:*

  • Configuration 5:
  • cpe:/o:juniper:junos:17.2:-:*:*:*:*:*:*

  • Configuration 6:
  • cpe:/o:juniper:junos:17.3:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.3:r1:*:*:*:*:*:*

  • Configuration 7:
  • cpe:/o:juniper:junos:17.4:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.4:r1:*:*:*:*:*:*

  • Configuration 8:
  • cpe:/o:juniper:junos:18.1:*:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:18.1:r1:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:juniper:junos:14.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:15.1:*:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:16.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.1:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.2:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:17.3:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:12.1x46:-:*:*:*:*:*:*
  • OR cpe:/o:juniper:junos:14.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    juniper junos 15.1
    juniper junos 15.1 f2
    juniper junos 15.1 f3
    juniper junos 15.1 f4
    juniper junos 15.1 f5
    juniper junos 15.1 f6
    juniper junos 15.1 r1
    juniper junos 15.1 r2
    juniper junos 15.1 r3
    juniper junos 15.1 r4
    juniper junos 15.1 r5
    juniper junos 15.1 r6
    juniper junos 16.1
    juniper junos 16.1 r1
    juniper junos 16.1 r2
    juniper junos 16.1 r3
    juniper junos 16.2
    juniper junos 16.2 r1
    juniper junos 17.1
    juniper junos 17.1 r1
    juniper junos 17.2
    juniper junos 17.3
    juniper junos 17.3 r1
    juniper junos 17.4
    juniper junos 17.4 r1
    juniper junos 18.1
    juniper junos 18.1 r1
    juniper junos 14.1 -
    juniper junos 15.1
    juniper junos 16.1 -
    juniper junos 17.1 -
    juniper junos 17.2 -
    juniper junos 17.3 -
    juniper junos 12.1x46 -
    juniper junos 14.2