CVE-2017-10604 : Exploit Details and Defense Strategies
Discover the impact of CVE-2017-10604 on Juniper Networks' Junos OS SRX Series devices. Learn about the vulnerability, affected versions, mitigation steps, and necessary software updates.
Junos OS: SRX Series: Cluster configuration sync failures occur if the root user account is locked out
Understanding CVE-2017-10604
This CVE involves a vulnerability in Juniper Networks' Junos OS affecting SRX Series devices, leading to cluster configuration synchronization failures when the root user account is locked out.
What is CVE-2017-10604?
The vulnerability arises when devices are configured for account lockout, allowing unauthenticated users attempting to log in as root with incorrect passwords to trigger a lockout of the root account. This issue specifically impacts SRX Series devices in cluster configuration mode.
The Impact of CVE-2017-10604
- CVSS Base Score: 5.3 (Medium)
- Attack Vector: Network
- Integrity Impact: Low
- Privileges Required: None
- Scope: Unchanged
- Vulnerability Type: Denial of Service to High Availability Features
Technical Details of CVE-2017-10604
This section provides detailed technical information about the vulnerability.
Vulnerability Description
The vulnerability allows unauthorized users to trigger a lockout of the root account on SRX Series devices, leading to synchronization errors during cluster operations.
Affected Systems and Versions
- Affected Platforms: SRX Series
- Affected Product: Junos OS
- Vulnerable Versions:
- 12.1X46 prior to 12.1X46-D65
- 12.3X48 prior to 12.3X48-D45
- 15.1X49 prior to 15.1X49-D75
Exploitation Mechanism
Juniper SIRT has not detected any malicious exploitation of this vulnerability.
Mitigation and Prevention
Learn how to mitigate and prevent the CVE-2017-10604 vulnerability.
Immediate Steps to Take
- Monitor and verify the lockout status of the root account using the provided command.
- Block offending incoming traffic causing the root account lockout via SSH connection attempts.
Long-Term Security Practices
- Implement access lists or firewall filters to restrict access to trusted administrative hosts, networks, and users.
Patching and Updates
- Update to the fixed software releases: 12.1X46-D65, 12.3X48-D45, 15.1X49-D75, and later versions.
- Note that releases above 15.1X49 Top of Tree from Junos OS 17.2R1 onward have proactively addressed this issue.