2014-03 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Linux Network Connect client local user privilege escalation issue (CVE-2014-2292)
Product Affected:This issue can affect all: SA700, SA2000, SA2500, SA4000, FIPS SA4000, SA4500, FIPS SA4500, SA6000, FIPS SA6000, SA6500, FIPS SA6500, MAG2600, MAG4610, MAG6610, and MAG6611. The affected software releases includes IVE OS 7.1, 7.3, 7.4, and 8.0.
Problem:A privilege escalation issue has been found and corrected in the Linux Network Connect client. This issue could allow a non-root user to escalate their access to root privileges on a Network Connect end-user client system.Juniper SIRT is not aware of any malicious exploitation of these vulnerabilities.No other Juniper Networks products or platforms are affected by this issue.This issue has been assigned CVE-2014-2292.
Solution:The issue is fixed in SA/MAG (IVE OS) releases: 8.0r2, 7.4r8, 7.3r10, and 7.1r17, and all subsequent releases.KB16765 – “In which releases are vulnerabilities fixed?” describes which release vulnerabilities are fixed as per our End of Engineering and End of Life support policies.
Workaround: There is no workaround for this issue. You must upgrade to a fixed version of the software for the fix.
Related Links: CVSS Score:6.6 (AV:L/AC:M/Au:S/C:C/I:C/A:C)
Acknowledgements: Juniper Networks would like to thank two reporters for independently discovering this issue and bringing it to our attention: Jörg Scheinert from Verizon GCIS Vulnerability Management for the discovery and Thierry Zoller for analysis and coordination, and also Joep Vesseur.