Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) - Nessus
Critical Plugin ID: 80195This page contains detailed information about the Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 80195
Name: Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627)
Filename: juniper_space_jsa10627.nasl
Vulnerability Published: 2010-04-27
This Plugin Published: 2014-12-22
Last Modification Time: 2018-07-12
Plugin Version: 1.9
Plugin Type: local
Plugin Family: Junos Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/Junos_Space/version
Vulnerability Information
Severity: Critical
Vulnerability Published: 2010-04-27
Patch Published: 2014-05-14
CVE [?]: CVE-2010-0738, CVE-2010-1428, CVE-2010-1429, CVE-2011-5245, CVE-2012-0818, CVE-2012-3143, CVE-2013-1502, CVE-2013-1511, CVE-2013-1532, CVE-2013-1537, CVE-2013-1544, CVE-2013-1557, CVE-2013-1862, CVE-2013-1896, CVE-2013-2375, CVE-2013-2376, CVE-2013-2389, CVE-2013-2391, CVE-2013-2392, CVE-2013-2422, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3808, CVE-2013-3809, CVE-2013-3812, CVE-2013-3839, CVE-2014-3413
CPE [?]: cpe:/a:juniper:junos_space
Exploited by Malware: True
Synopsis
The remote device is affected by multiple vulnerabilities.
Description
According to its self-reported version number, the remote Junos Space version is prior to 13.3R1.8. It is, therefore, affected by multiple vulnerabilities in bundled third party software components :
- Multiple vulnerabilities in RedHat JBoss application server. (CVE-2010-0738, CVE-2010-1428, CVE-2010-1429, CVE-2011-5245, CVE-2012-0818)
- Multiple vulnerabilities in Oracle Java SE JDK. (CVE-2012-3143, CVE-2013-1537, CVE-2013-1557, CVE-2013-2422)
- Multiple vulnerabilities in Oracle MySQL server. (CVE-2013-1502, CVE-2013-1511, CVE-2013-1532, CVE-2013-1544, CVE-2013-2375, CVE-2013-2376, CVE-2013-2389, CVE-2013-2391, CVE-2013-2392, CVE-2013-3783, CVE-2013-3793, CVE-2013-3794, CVE-2013-3801, CVE-2013-3802, CVE-2013-3804, CVE-2013-3805, CVE-2013-3808, CVE-2013-3809, CVE-2013-3812, CVE-2013-3839)
- Multiple vulnerabilities in Apache HTTP Server. (CVE-2013-1862, CVE-2013-1896)
- Known hard-coded MySQL credentials. (CVE-2014-3413)
Solution
Upgrade to Junos Space 13.3R1.8 or later.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, ExploitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) vulnerability:
- Metasploit: exploit/multi/http/jboss_maindeployer
[JBoss JMX Console Deployer Upload and Execute] - Metasploit: auxiliary/admin/http/jboss_bshdeployer
[JBoss JMX Console Beanshell Deployer WAR Upload and Deployment] - Metasploit: exploit/multi/http/jboss_bshdeployer
[JBoss JMX Console Beanshell Deployer WAR Upload and Deployment] - Metasploit: auxiliary/admin/http/jboss_deploymentfilerepository
[JBoss JMX Console DeploymentFileRepository WAR Upload and Deployment] - Metasploit: exploit/multi/http/jboss_deploymentfilerepository
[JBoss Java Class DeploymentFileRepository WAR Deployment] - Metasploit: auxiliary/scanner/http/jboss_status
[JBoss Status Servlet Information Gathering] - Metasploit: auxiliary/scanner/http/jboss_vulnscan
[JBoss Vulnerability Scanner] - Metasploit: auxiliary/scanner/sap/sap_icm_urlscan
[SAP URL Scanner] - Exploit-DB: exploits/multiple/remote/16316.rb
[EDB-16316: JBoss - Java Class DeploymentFileRepository WAR Deployment (Metasploit)] - Exploit-DB: exploits/multiple/remote/16318.rb
[EDB-16318: JBoss JMX - Console Deployer Upload and Execute (Metasploit)] - Exploit-DB: exploits/multiple/remote/16319.rb
[EDB-16319: JBoss JMX - Console Beanshell Deployer WAR Upload and Deployment (Metasploit)] - Exploit-DB: exploits/jsp/webapps/16274.pl
[EDB-16274: JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Command Execution] - Exploit-DB: exploits/jsp/webapps/17924.pl
[EDB-17924: JBoss & JMX Console - Misconfigured Deployment Scanner] - Exploit-DB: exploits/windows/webapps/35982.txt
[EDB-35982: Hewlett-Packard (HP) UCMDB - JMX-Console Authentication Bypass] - GitHub: https://github.com/SexyBeast233/SecBooks
[CVE-2010-0738] - GitHub: https://github.com/fupinglee/JavaTools
[CVE-2010-0738] - GitHub: https://github.com/hatRiot/clusterd
[CVE-2010-0738] - GitHub: https://github.com/qashqao/clusterd
[CVE-2010-0738] - GitHub: https://github.com/JameelNabbo/Jboss4.2XPOC
[CVE-2010-1429] - GitHub: https://github.com/GiJ03/ReconScan
[CVE-2013-1862] - GitHub: https://github.com/RoliSoft/ReconScan
[CVE-2013-1862] - GitHub: https://github.com/issdp/test
[CVE-2013-1862] - GitHub: https://github.com/matoweb/Enumeration-Script
[CVE-2013-1862] - GitHub: https://github.com/vshaliii/DC-1-Vulnhub-Walkthrough
[CVE-2013-1862] - GitHub: https://github.com/GiJ03/ReconScan
[CVE-2013-1896] - GitHub: https://github.com/MrFrozenPepe/Pentest-Cheetsheet
[CVE-2013-1896] - GitHub: https://github.com/RoliSoft/ReconScan
[CVE-2013-1896] - GitHub: https://github.com/issdp/test
[CVE-2013-1896] - GitHub: https://github.com/matoweb/Enumeration-Script
[CVE-2013-1896] - GitHub: https://github.com/vshaliii/DC-1-Vulnhub-Walkthrough
[CVE-2013-1896] - GitHub: https://github.com/ycamper/censys-scripts
[CVE-2013-2392] - GitHub: https://github.com/ChristianPapathanasiou/jboss-autopwn
[CVE-2010-0738: JBoss Autopwn as featured at BlackHat Europe 2010 - this version incorporates ...] - GitHub: https://github.com/gitcollect/jboss-autopwn
[CVE-2010-0738: JBoss Autopwn CVE-2010-0738 JBoss authentication bypass] - ExploitHub: EH-12-132
- Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
| CVSS Base Score: | 10.0 (High) |
| Impact Subscore: | 10.0 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 8.7 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.7 (High) |
Go back to menu.
Plugin Source
This is the juniper_space_jsa10627.nasl nessus plugin source code. This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(80195);
script_version("1.9");
script_cvs_date("Date: 2018/07/12 19:01:16");
script_cve_id(
"CVE-2010-0738",
"CVE-2010-1428",
"CVE-2010-1429",
"CVE-2011-5245",
"CVE-2012-0818",
"CVE-2012-3143",
"CVE-2013-1502",
"CVE-2013-1511",
"CVE-2013-1532",
"CVE-2013-1537",
"CVE-2013-1544",
"CVE-2013-1557",
"CVE-2013-1862",
"CVE-2013-1896",
"CVE-2013-2375",
"CVE-2013-2376",
"CVE-2013-2389",
"CVE-2013-2391",
"CVE-2013-2392",
"CVE-2013-2422",
"CVE-2013-3783",
"CVE-2013-3793",
"CVE-2013-3794",
"CVE-2013-3801",
"CVE-2013-3802",
"CVE-2013-3804",
"CVE-2013-3805",
"CVE-2013-3808",
"CVE-2013-3809",
"CVE-2013-3812",
"CVE-2013-3839",
"CVE-2014-3413"
);
script_bugtraq_id(
39710,
51748,
51766,
56055,
59170,
59194,
59201,
59207,
59209,
59211,
59224,
59227,
59228,
59229,
59239,
59242,
59826,
61129,
61210,
61222,
61227,
61244,
61249,
61256,
61260,
61264,
61269,
61272,
63109
);
script_xref(name:"TRA", value:"TRA-2014-01");
script_xref(name:"EDB-ID", value:"17924");
script_xref(name:"EDB-ID", value:"16274");
script_xref(name:"EDB-ID", value:"16319");
script_xref(name:"EDB-ID", value:"16316");
script_name(english:"Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627)");
script_summary(english:"Checks the version.");
script_set_attribute(attribute:"synopsis", value:
"The remote device is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version number, the remote Junos Space
version is prior to 13.3R1.8. It is, therefore, affected by multiple
vulnerabilities in bundled third party software components :
- Multiple vulnerabilities in RedHat JBoss application
server. (CVE-2010-0738, CVE-2010-1428, CVE-2010-1429,
CVE-2011-5245, CVE-2012-0818)
- Multiple vulnerabilities in Oracle Java SE JDK.
(CVE-2012-3143, CVE-2013-1537, CVE-2013-1557,
CVE-2013-2422)
- Multiple vulnerabilities in Oracle MySQL server.
(CVE-2013-1502, CVE-2013-1511, CVE-2013-1532,
CVE-2013-1544, CVE-2013-2375, CVE-2013-2376,
CVE-2013-2389, CVE-2013-2391, CVE-2013-2392,
CVE-2013-3783, CVE-2013-3793, CVE-2013-3794,
CVE-2013-3801, CVE-2013-3802, CVE-2013-3804,
CVE-2013-3805, CVE-2013-3808, CVE-2013-3809,
CVE-2013-3812, CVE-2013-3839)
- Multiple vulnerabilities in Apache HTTP Server.
(CVE-2013-1862, CVE-2013-1896)
- Known hard-coded MySQL credentials. (CVE-2014-3413)");
script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2014-01");
script_set_attribute(attribute:"see_also", value:"https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10627");
script_set_attribute(attribute:"solution", value:"Upgrade to Junos Space 13.3R1.8 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-12-132");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'JBoss JMX Console Deployer Upload and Execute');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"vuln_publication_date", value:"2010/04/27");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/12/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:juniper:junos_space");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Junos Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/Junos_Space/version");
exit(0);
}
include("junos.inc");
include("misc_func.inc");
ver = get_kb_item_or_exit('Host/Junos_Space/version');
check_junos_space(ver:ver, fix:'13.3R1.8', severity:SECURITY_HOLE);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/juniper_space_jsa10627.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\juniper_space_jsa10627.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/juniper_space_jsa10627.nasl
Go back to menu.
How to Run
Here is how to run the Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Junos Local Security Checks plugin family.
- On the right side table select Juniper Junos Space < 13.3R1.8 Multiple Vulnerabilities (JSA10627) plugin ID 80195.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl juniper_space_jsa10627.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a juniper_space_jsa10627.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - juniper_space_jsa10627.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state juniper_space_jsa10627.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID:
- 39710, 51748, 51766, 56055, 59170, 59194, 59201, 59207, 59209, 59211, 59224, 59227, 59228, 59229, 59239, 59242, 59826, 61129, 61210, 61222, 61227, 61244, 61249, 61256, 61260, 61264, 61269, 61272, 63109
- https://www.tenable.com/plugins/nessus/80195
- https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10627
- https://www.tenable.com/security/research/tra-2014-01
- https://vulners.com/nessus/JUNIPER_SPACE_JSA10627.NASL
- 53337 - JBoss Enterprise Application Platform '/jmx-console' Authentication Bypass
- 72688 - Mac OS X Multiple Vulnerabilities (Security Update 2014-001) (BEAST)
- 72863 - CentOS 6 : mysql55-mysql (CESA-2014:0173)
- 72864 - CentOS 6 : mariadb55-mariadb (CESA-2014:0189)
- 74990 - openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0745-1)
- 74991 - openSUSE Security Update : java-1_6_0-openjdk (openSUSE-SU-2013:0777-1)
- 74999 - openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0964-1)
- 75109 - openSUSE Security Update : apache2 (openSUSE-SU-2013:1337-1)
- 75110 - openSUSE Security Update : apache2 (openSUSE-SU-2013:1340-1)
- 76239 - RHEL 5 / 6 : JBoss Web Server (RHSA-2013:1133)
- 76303 - GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)
- 77326 - Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642)
- 77548 - GLSA-201409-04 : MySQL: Multiple vulnerabilities
- 78975 - RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1455) (BEAST) (ROBOT)
- 78976 - RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1456) (ROBOT)
- 79603 - F5 Networks BIG-IP : Apache vulnerability (SOL15877)
- 80043 - openSUSE Security Update : apache2 (openSUSE-SU-2014:1647-1)
- 80193 - Juniper Junos Space < 13.1R1 MySQL Multiple Vulnerabilities (JSA10601)
- 80585 - Oracle Solaris Third-Party Patch Update : apache (cve_2013_1896_denial_of)
- 83632 - SUSE SLES10 Security Update : apache2 (SUSE-SU-2014:1082-1)
- 84877 - Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685)
- 84878 - Juniper NSM < 2012.2R9 Apache HTTP Server Multiple Vulnerabilities (JSA10685) (credentialed check)
- 89663 - VMware ESX / ESXi NFC and Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0003) (remote check)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file juniper_space_jsa10627.nasl version 1.9. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
