CVE-2017-10620 — Improper Certificate Validation in Networks Junos OS

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

7.4HIGHNVD

EPSS

0.2%

top 61.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Juniper Networks Junos OS Juniper Junos Juniper Junos OS +1 more

Timeline

PublishedOct 13

Latest updateMay 13

Description

Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates. This may allow a man-in-the-middle attacker to inject bogus signatures to cause service disruptions or make the device not detect certain types of attacks. Affected Junos OS releases are: 12.1X46 prior to 12.1X46-D71; 12.3X48 prior to 12.3X48-D55; 15.1X49 prior to 15.1X49-D110;

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 2.2 | Impact: 5.2

Affected Packages4 packages

▶CVEListV5juniper_networks/junos_os12.1X46 prior to 12.3X46-D71, 12.3X48 prior to 12.3X48-D55, 15.1X49 prior to 15.1X49-D110+2

▶NVDjuniper/junos12.1x46, 12.3x48, 15.1x49+2

▶juniperjuniper/junos_os

▶juniperjuniper/srx_series

🔴Vulnerability Details

GHSA

GHSA-3p9c-3m43-pw59: Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates↗2022-05-13

▶

📋Vendor Advisories

Juniper

CVE-2017-10620: Juniper Networks Junos OS on SRX series devices do not verify the HTTPS server certificate before downloading anti-virus updates. This may allow a man↗2017-10-13

▶