CVE-2019-0022 – Juniper ATP versions before 5.0.3 contain hard-... (How to Fix)

Q: What is the severity of CVE-2019-0022?

CVE-2019-0022 has a CVSS score of 10.0 (CRITICAL). Juniper ATP versions before 5.0.3 contain hard-coded credentials in the Cyphort Core instance, allowing attackers to gain full administrative control of the system. This affects all installations running vulnerable versions, regardless of configuration. The vulnerability is critical due to the complete system compromise it enables.

📋 TL;DR

Juniper ATP versions before 5.0.3 contain hard-coded credentials in the Cyphort Core instance, allowing attackers to gain full administrative control of the system. This affects all installations running vulnerable versions, regardless of configuration. The vulnerability is critical due to the complete system compromise it enables.

💻 Affected Systems

Products:

Juniper Networks Advanced Threat Prevention (ATP)

Versions: 5.0 versions prior to 5.0.3

Operating Systems: Juniper ATP OS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration settings.

📦 What is this software?

Advanced Threat Prevention by Juniper

View all CVEs affecting Advanced Threat Prevention →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attacker to exfiltrate all security data, disable protection, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attacker gains administrative access to the ATP system, potentially disabling security monitoring and accessing sensitive threat intelligence data.

🟢

If Mitigated

If isolated from internet and internal networks, impact limited to the ATP system itself, though still represents complete compromise of that system.

🌐 Internet-Facing: HIGH - Internet-facing systems can be directly attacked without authentication.

🏢 Internal Only: HIGH - Internal attackers or those who breach perimeter can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Hard-coded credentials make exploitation trivial once discovered. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.3

Vendor Advisory: https://kb.juniper.net/JSA10918

Restart Required: Yes

Instructions:

1. Download Juniper ATP 5.0.3 from Juniper support portal. 2. Backup current configuration. 3. Apply the update via the ATP web interface or CLI. 4. Reboot the system as required. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Isolation

all

Isolate the ATP system from all networks except required management interfaces

Access Control Lists

all

Implement strict network ACLs to limit access to ATP management interfaces

🧯 If You Can't Patch

Immediately isolate the ATP system from all networks
Monitor for suspicious authentication attempts and system changes

🔍 How to Verify

Check if Vulnerable:

Check ATP version via web interface (System > About) or CLI command 'show version'

Check Version:

show version

Verify Fix Applied:

Verify version is 5.0.3 or later and check for any unknown administrative accounts

📡 Detection & Monitoring

Log Indicators:

Unexpected administrative logins
Configuration changes from unknown users
Failed login attempts using common credentials

Network Indicators:

Unexpected connections to ATP management interfaces
Traffic patterns indicating credential testing

SIEM Query:

source="juniper-atp" AND (event_type="authentication" AND result="success" AND user!="expected_admin")

📊 Metadata

CVE ID: CVE-2019-0022

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-798

Published: January 15, 2019

Last Updated: November 21, 2024

🔗 References

https://kb.juniper.net/JSA10918 Vendor Advisory
https://kb.juniper.net/JSA10918 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-0022, you might also want to check these: