Network admins with Juniper PTX series routers in their environments are being warned to patch immediately, because a newly-discovered critical vulnerability could lead to an unauthenticated threat actor running code with root privileges.
The hole is “especially dangerous, because these devices often sit in the middle of the network, not on the fringes,” said Piyush Sharma, CEO of Tuskira. “If an attacker gains control of a PTX, the impact is bigger than a single device compromise because it can become a traffic vantage point and a control point at the same time. This opens the door to the stealthy interception of data flows, controller redirected traffic, or easy pivots into adjacent networks.”
This issue affects PTX routers running versions of the Junos OS Evolved operating system earlier than 25.4R1-S1-EVO and 25.4R2-EVO. It doesn’t affect the standard Junos OS.
In a notice, Juniper said it isn’t aware of any malicious exploitation of this vulnerability. The hole was found during internal product security testing or research.
The PTX line is a series of modular high performance core routers powered by HPE Juniper Networks’ latest generation of custom Express family ASICs and optimized for 400G and 800G migrations. They offer native 400G and 800G inline MACsec, deep buffering and flexible filtering. The company says they are built for longevity in demanding WAN (wide area network) and data center use cases and deployment scenarios, including core, peering, data center interconnect, data center edge, metro aggregation, and AI data center networking.
In its notice, Juniper says an Incorrect Permission Assignment for Critical Resource vulnerability in the On-Box Anomaly detection framework of the operating system allows an unauthenticated, network-based attacker to execute code as root. The detection framework is enabled by default.
“The On-Box Anomaly detection framework should only be reachable by other internal processes over the internal routing instance, but not over an externally exposed port,” the alert adds. “With the ability to access and manipulate the service to execute code as root, a remote attacker can take complete control of the device.”
To resolve the issue, admins should make sure version 25.4R1-S1-EVO of Junos OS Evolved is installed. They should also note that versions 25.4R2-EVO and 26.2R1-EVO are on the way.
If the update can’t be installed immediately, admins should use access control lists or firewall filters to limit access to only trusted networks and hosts, to reduce the risk of exploitation of this issue. Ensure such filters only permit explicitly required connections and block all others.
Another option is to disable the service by entering request pfe anomalies disable in the operating system’s command line.
Sharma said Juniper vulnerabilities have attracted a lot of attention from hackers over the years because of the premium positioning the routers give if long-term footholds are established. “As a network operating system, Junos sits at the crossroads of major control points like identity, policy, and traffic, which means a single exploit can scale quickly across valuable networks,” he said. “Additionally, these footholds provide attackers a longer window to find and exploit vulnerable devices, since core network gear is painful to apply patching to due to long downtimes.”
To prevent vulnerabilities such as the current flaw from leading to exploitation, organizations need a defense platform that can continuously monitor for anomalies across networks and alert security teams when malicious behavior is detected, he added.
Disclosure of the vulnerability comes as Juniper’s parent firm HPE prepares to introduce new PTX12000 and PTX10002 router families at next week’s Mobile World Congress. HPE bought Juniper last year.