漏洞标题
Junos OS: SRX Series: 如果启用了无同步检查,则被归类为未知流量的流量会通过预 id 默认策略被允许。
漏洞描述信息
Junos OS:SRX 系列:如果启用了 no-syn-check,则将允许分类为 UNKNOWN 的流量通过 pre-id-default-policy。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
漏洞类别
N/A
漏洞标题
Junos OS: SRX Series: If no-syn-check is enabled, traffic classified as UNKNOWN gets permitted by pre-id-default-policy
漏洞描述信息
A traffic classification vulnerability in Juniper Networks Junos OS on the SRX Series Services Gateways may allow an attacker to bypass Juniper Deep Packet Inspection (JDPI) rules and access unauthorized networks or resources, when 'no-syn-check' is enabled on the device. While JDPI correctly classifies out-of-state asymmetric TCP flows as the dynamic-application UNKNOWN, this classification is not provided to the policy module properly and hence traffic continues to use the pre-id-default-policy, which is more permissive, causing the firewall to allow traffic to be forwarded that should have been denied. This issue only occurs when 'set security flow tcp-session no-syn-check' is configured on the device. This issue affects Juniper Networks Junos OS on SRX Series: 18.4 versions prior to 18.4R2-S10, 18.4R3-S10; 19.1 versions prior to 19.1R3-S8; 19.2 versions prior to 19.2R1-S8, 19.2R3-S4; 19.3 versions prior to 19.3R3-S3; 19.4 versions prior to 19.4R3-S5; 20.1 versions prior to 20.1R3-S1; 20.2 versions prior to 20.2R3-S2; 20.3 versions prior to 20.3R3-S1; 20.4 versions prior to 20.4R2-S2, 20.4R3; 21.1 versions prior to 21.1R2-S2, 21.1R3; 21.2 versions prior to 21.2R2. This issue does not affect Juniper Networks Junos OS versions prior to 18.4R1.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
漏洞类别
授权机制不正确
漏洞标题
Juniper Networks Junos OS 安全特征问题漏洞
漏洞描述信息
Juniper Networks Junos OS是美国瞻博网络(Juniper Networks)公司的一套专用于该公司的硬件设备的网络操作系统。该操作系统提供了安全编程接口和Junos SDK。 Juniper Networks Junos OS 存在安全特征问题漏洞,该漏洞是由于在设备上启用no-syn-check时 SRX 系列服务网关上的流量分类问题而存在的。虽然 JDPI 正确地将状态外非对称 TCP 流分类为动态应用程序 UNKNOWN,但此分类未正确提供给策略模块,因此流量继续使用更宽松的
CVSS信息
N/A
漏洞类别
授权问题