CVE-2020-1605

HIGH

Junos OS - Unauthenticated Remote Code Execution via Crafted IPv4 JDHCPD Relay Packets

Title source: llm

Description

When a device using Juniper Network's Dynamic Host Configuration Protocol Daemon (JDHCPD) process on Junos OS or Junos OS Evolved which is configured in relay mode it vulnerable to an attacker sending crafted IPv4 packets who may then arbitrarily execute commands as root on the target device. This issue affects IPv4 JDHCPD services. This issue affects: Juniper Networks Junos OS: 15.1 versions prior to 15.1R7-S6; 15.1X49 versions prior to 15.1X49-D200; 15.1X53 versions prior to 15.1X53-D592; 16.1 versions prior to 16.1R7-S6; 16.2 versions prior to 16.2R2-S11; 17.1 versions prior to 17.1R2-S11, 17.1R3-S1; 17.2 versions prior to 17.2R2-S8, 17.2R3-S3; 17.3 versions prior to 17.3R3-S6; 17.4 versions prior to 17.4R2-S7, 17.4R3; 18.1 versions prior to 18.1R3-S8; 18.2 versions prior to 18.2R3-S2; 18.2X75 versions prior to 18.2X75-D60; 18.3 versions prior to 18.3R1-S6, 18.3R2-S2, 18.3R3; 18.4 versions prior to 18.4R1-S5, 18.4R2-S3, 18.4R3; 19.1 versions prior to 19.1R1-S3, 19.1R2; 19.2 versions prior to 19.2R1-S3, 19.2R2*. and All versions prior to 19.3R1 on Junos OS Evolved. This issue do not affect versions of Junos OS prior to 15.1, or JDHCPD operating as a local server in non-relay mode.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://kb.juniper.net/JSA10981

Permissions Required x_refsource_misc

https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1449353

Scores

CVSS v3 8.8

EPSS 0.0021

EPSS Percentile 42.4%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-78 CWE-121

Status published

Products (4)

juniper/junos 15.1 r7 (6 CPE variants)

juniper/junos 15.1x49 d10 (19 CPE variants)

juniper/junos 15.1x53 d20 (21 CPE variants)

juniper/junos 16.1 (4 CPE variants)

Published Jan 15, 2020

Tracked Since Feb 18, 2026