Tuesday, April 28, 2015

Junos Space Network Management Platform Vulnerabilities

Last year I spent some time looking for bugs in the Juniper Junos Space Network Management Platform . I discovered following security issues:
  • XSS in the event viewer by sending specially crafted syslog traffic log messages
  • XSS contained in ssl certificates
  • XSS in the integrated opennms network monitoring tool by sending specially crafted snmp traps (varbinding oid values are not properly escaped)
  • XSS in opennms by spoofing snmp get responses, for example a hostname containing html
  • Inject commands using the backup functionality
  • Junos Space manages its devices (routers, switches, firewalls) using ssh. However it does not verify ssh host keys, allowing mitm exploits.
The opnennms issues were reported to opennms also:

I reported these issues September last year to Juniper sirt. Only one of them (ssl cert xss) is fixed in the current release (14.1R2).
There are many more security issues which need to be addressed, however Juniper decided to spend its budget on different things .

2 comments:

Unknown said...

This is the content I was looking for, Keep up the good work.
If anyone want Paloalto Networks exam dumps this is your opportunity.

Palo Alto Networks is a Security Operating Platform Technology company that offer various certifications exams. Palo Alto Networks Certifications enables users to protect networks from cutting edge cyber threats anywhere on a variety of devices. Millions of users use Palo Alto Networks products worldwide. Palo Alto Networks Certifications are designed to reflect the needs of organizations and IT Professionals. A Palo Alto Networks Certified Network Security Engineer (PCNSE) is capable of designing, deploying, configuring, maintaining and trouble-shooting the vast majority of Palo Alto Networks Operating Platform implementations.

If you want to be successful in Paloalto Networks exams in first attempt
You can get Palo Alto Networks PCNSE.

James jhon said...

Marks4sure.org offers you center of answers for breeze through all IT affirmation exams with unconditional promise! We offer a considerable scope of items for certification candidates. You can purchase from us Exam Study Guides that give you an exhaustive comprehension of the affirmation schedule. marks4sure.org