{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"state":"PUBLISHED","cveId":"CVE-2019-0053","assignerOrgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","assignerShortName":"juniper","dateUpdated":"2024-09-16T19:15:29.698Z","dateReserved":"2018-10-11T00:00:00.000Z","datePublished":"2019-07-11T19:40:52.382Z"},"containers":{"cna":{"title":"Junos OS: Insufficient validation of environment variables in telnet client may lead to stack-based buffer overflow","datePublic":"2019-07-10T00:00:00.000Z","providerMetadata":{"orgId":"8cbe9d5a-a066-4c94-8978-4b15efeae968","shortName":"juniper","dateUpdated":"2024-01-02T00:17:56.689Z"},"descriptions":[{"lang":"en","value":"Insufficient validation of environment variables in the telnet client supplied in Junos OS can lead to stack-based buffer overflows, which can be exploited to bypass veriexec restrictions on Junos OS. A stack-based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client — accessible from the CLI or shell — in Junos OS. Inbound telnet services are not affected by this issue. This issue affects: Juniper Networks Junos OS: 12.3 versions prior to 12.3R12-S13; 12.3X48 versions prior to 12.3X48-D80; 14.1X53 versions prior to 14.1X53-D130, 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S4; 15.1X49 versions prior to 15.1X49-D170; 15.1X53 versions prior to 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S11, 16.1R7-S4; 16.2 versions prior to 16.2R2-S9; 17.1 versions prior to 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R2-S7, 17.2R3-S1; 17.3 versions prior to 17.3R3-S4; 17.4 versions prior to 17.4R1-S6, 17.4R2-S3, 17.4R3; 18.1 versions prior to 18.1R2-S4, 18.1R3-S3; 18.2 versions prior to 18.2R1-S5, 18.2R2-S2, 18.2R3; 18.2X75 versions prior to 18.2X75-D40; 18.3 versions prior to 18.3R1-S3, 18.3R2; 18.4 versions prior to 18.4R1-S2, 18.4R2."}],"affected":[{"vendor":"Juniper Networks","product":"Junos OS","versions":[{"version":"12.3 versions prior to 12.3R12-S13","status":"affected"},{"version":"12.3X48 versions prior to 12.3X48-D80","status":"affected"},{"version":"14.1X53 versions prior to 14.1X53-D130 and 14.1X53-D49","status":"affected"},{"version":"15.1 versions prior to 15.1F6-S12 and15.1R7-S4","status":"affected"},{"version":"15.1X49 versions prior to 15.1X49-D170","status":"affected"},{"version":"15.1X53 versions prior to 15.1X53-D237 and 15.1X53-D496 and 15.1X53-D591 and 15.1X53-D69","status":"affected"},{"version":"16.1 versions prior to 16.1R3-S11 and 16.1R7-S4","status":"affected"},{"version":"16.2 versions prior to 16.2R2-S9","status":"affected"},{"version":"17.1 versions prior to 17.1R3","status":"affected"},{"version":"17.2 versions prior to 17.2R1-S8 and 17.2R2-S7 and 17.2R3-S1","status":"affected"},{"version":"17.3 versions prior to 17.3R3-S4","status":"affected"},{"version":"17.4 versions prior to 17.4R1-S6 and 17.4R2-S3 and 17.4R3","status":"affected"},{"version":"18.1 versions prior to 18.1R2-S4 and 18.1R3-S3","status":"affected"},{"version":"18.2 versions prior to 18.2R1-S5 and 18.2R2-S2 and 18.2R3","status":"affected"},{"version":"18.2X75 versions prior to 18.2X75-D40","status":"affected"},{"version":"18.3 versions prior to 18.3R1-S3 and 18.3R2","status":"affected"},{"version":"18.4 versions prior to 18.4R1-S2 and 18.4R2","status":"affected"}]}],"references":[{"url":"https://kb.juniper.net/JSA10947"},{"url":"https://www.exploit-db.com/exploits/45982"},{"name":"FreeBSD-SA-19:12","tags":["vendor-advisory"],"url":"https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc"},{"name":"20190724 FreeBSD Security Advisory FreeBSD-SA-19:12.telnet","tags":["mailing-list"],"url":"https://seclists.org/bugtraq/2019/Jul/45"},{"url":"http://packetstormsecurity.com/files/153746/FreeBSD-Security-Advisory-FreeBSD-SA-19-12.telnet.html"},{"name":"[debian-lts-announce] 20221125 [SECURITY] [DLA 3205-1] inetutils security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"},{"name":"[debian-lts-announce] 20231008 [SECURITY] [DLA 3611-1] inetutils security update","tags":["mailing-list"],"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html"}],"credits":[{"lang":"en","value":"Matthew Hickey, Hacker House (https://hacker.house/) who reported this issue on November 12, 2018."}],"metrics":[{"cvssV3_0":{"version":"3.0","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.8,"baseSeverity":"HIGH"}}],"problemTypes":[{"descriptions":[{"type":"CWE","lang":"en","description":"CWE-121 Stack-based Buffer Overflow","cweId":"CWE-121"}]}],"x_generator":{"engine":"Vulnogram 0.0.6"},"source":{"advisory":"JSA10947","defect":["1409847"],"discovery":"EXTERNAL"},"workarounds":[{"lang":"en","value":"Since this issue is specific to outbound connections to a malicious host from the local telnet client, mitigation includes:\n* limit access to the Junos CLI and shell from only from trusted administrators\n* block outbound telnet connections\n* deny access to the telnet command and shell per user or user class"}],"exploits":[{"lang":"en","value":"Juniper SIRT is not aware of any malicious exploitation of this vulnerability."}],"solutions":[{"lang":"en","value":"The following software releases have been updated to resolve this specific issue: 12.3R12-S13, 12.3X48-D80, 12.3X48-D85, 14.1X53-D130, 14.1X53-D49, 15.1F6-S12, 15.1R7-S4, 15.1X49-D170, 15.1X53-D237, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69, 16.1R3-S11, 16.1R7-S4, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3-S1, 17.3R3-S4, 17.4R1-S6, 17.4R2-S3, 17.4R3, 18.1R2-S4, 18.1R3-S3, 18.2R1-S5, 18.2R2-S2, 18.2R3, 18.2X75-D40, 18.3R1-S3, 18.3R2, 18.4R1-S2, 18.4R2, 19.1R1, and all subsequent releases."}]},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T17:37:07.225Z"},"title":"CVE Program Container","references":[{"url":"https://kb.juniper.net/JSA10947","tags":["x_transferred"]},{"url":"https://www.exploit-db.com/exploits/45982","tags":["x_transferred"]},{"name":"FreeBSD-SA-19:12","tags":["vendor-advisory","x_transferred"],"url":"https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc"},{"name":"20190724 FreeBSD Security Advisory FreeBSD-SA-19:12.telnet","tags":["mailing-list","x_transferred"],"url":"https://seclists.org/bugtraq/2019/Jul/45"},{"url":"http://packetstormsecurity.com/files/153746/FreeBSD-Security-Advisory-FreeBSD-SA-19-12.telnet.html","tags":["x_transferred"]},{"name":"[debian-lts-announce] 20221125 [SECURITY] [DLA 3205-1] inetutils security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2022/11/msg00033.html"},{"name":"[debian-lts-announce] 20231008 [SECURITY] [DLA 3611-1] inetutils security update","tags":["mailing-list","x_transferred"],"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html","tags":["x_transferred"]}]}]}}