CVE-2017-2343
published 2017-07-17CVE-2017-2343: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.70%
84.0th percentile
The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. As part of an internal security review of the UserFW services authentication API, hardcoded credentials were identified and removed which can impact both the SRX Series device, and potentially LDAP and Active Directory integrated points. An attacker may be able to completely compromise SRX Series devices, as well as Active Directory servers and services. When Active Directory is compromised, it may allow access to user credentials, workstations, servers performing other functions such as email, database, etc. Inter-Forest Active Directory deployments may also be at risk as the attacker may gain full administrative control over one or more Active Directories depending on the credentials supplied by the administrator of the AD domains and SRX devices performing integrated authentication of users, groups and devices. To identify if your device is potentially vulnerable to exploitation, check to see if the service is operating; from CLI review the following output: root@SRX-Firewall# run show services user-identification active-directory-access domain-controller status extensive A result of "Status: Connected" will indicate that the service is active on the device. To evaluate if user authentication is occurring through the device: root@SRX-Firewall# run show services user-identification active-directory-access active-directory-authentication-table all Next review the results to see if valid users and groups are returned. e.g. Domain: juniperlab.com Total entries: 3 Source IP Username groups state 172.16.26.1 administrator Valid 192.168.26.2 engg01 engineers Valid 192.168.26.3 guest01 guests Valid Domain: NULL Total entries: 8 Source IP Username groups state 192.168.26.4 Invalid 192.168.26.5 Invalid This will also indicate that Valid users and groups are auth
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| juniper | junos | — | — |
| juniper | junos | — | — |
| juniper | junos_os | — | — |
| juniper | srx_series | — | — |
| juniper_networks | junos_os | — | — |
| juniper_networks | junos_os | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Run CLI command to check if the vulnerable UserFW Active Directory service is active (Status: Connected indicates exposure) ↗
- →Run CLI command to check if valid users and groups are authenticating through the device via the vulnerable UserFW integration ↗
- ·Affected Junos OS versions on SRX series: 12.3X48-D30 and prior to 12.3X48-D35; 15.1X49-D40 and prior to 15.1X49-D50. Devices on 12.1X46 or 12.1X47 are NOT affected. ↗
- ·The vulnerability stems from hardcoded credentials in the UserFW services authentication API, introduced in Junos OS 12.1X47-D10. The credentials have been removed in patched versions. ↗
- ·Inter-Forest Active Directory deployments are also at risk; an attacker may gain full administrative control over one or more Active Directories depending on credentials supplied by the administrator. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Juniper
CVE-2017-2343: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integ
vendor_juniper·2017-07-17·CVSS 10.0
CVE-2017-2343 [CRITICAL] CWE-798 CVE-2017-2343: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integ
CVE-2017-2343: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. As part of an internal security review of the UserFW services authentication API, hardcoded credentials were identified and removed which can impact both the SRX Series device, and potentially LDAP and Active Directory integrated points. An attacker may be able to completely compromise SRX Series devices, as well as Active Directory servers and services. When Active Directory is compromised, it may allow access to user credentials, workstations, servers performing other functions such as email, database, etc. Inter-Forest Active Directory deployments may also be a
GHSA
GHSA-2vpg-v73j-6qq2: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12
ghsa_unreviewed·2022-05-13
CVE-2017-2343 [CRITICAL] CWE-798 GHSA-2vpg-v73j-6qq2: The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12
The Integrated User Firewall (UserFW) feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. As part of an internal security review of the UserFW services authentication API, hardcoded credentials were identified and removed which can impact both the SRX Series device, and potentially LDAP and Active Directory integrated points. An attacker may be able to completely compromise SRX Series devices, as well as Active Directory servers and services. When Active Directory is compromised, it may allow access to user credentials, workstations, servers performing other functions such as email, database, etc. Inter-Forest Active Directory deployments may also be at risk as the a
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2017-07-17
Published