CVE-2023-28960
📋 TL;DR
This CVE allows a local authenticated low-privileged attacker to copy malicious files into existing Docker containers on Juniper Junos OS Evolved systems. When an administrator later starts the container, the files execute with root privileges. Only affects systems with Docker enabled, which is not the default configuration.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full root compromise of the system through malicious code execution in Docker containers, potentially leading to complete system takeover, data exfiltration, or lateral movement.
Likely Case
Privilege escalation from low-privileged user to root within Docker containers, enabling container breakout and host system compromise.
If Mitigated
Limited impact with proper access controls, container isolation, and monitoring in place.
🎯 Exploit Status
Requires local authenticated access with low privileges, Docker must be enabled, and attacker needs to wait for administrator to start container.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.4R3-S5-EVO, 21.2R3-EVO, 21.3R3-EVO, 21.4R2-EVO or later
Vendor Advisory: https://supportportal.juniper.net/JSA70585
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Upgrade to patched version using Juniper's standard upgrade procedures. 3. Reboot system after upgrade.
🔧 Temporary Workarounds
Disable Docker
linuxDisable Docker service if not required for operations
set system services docker disable
commit
Restrict Docker Access
linuxLimit which users can access Docker containers and commands
Configure user permissions via Junos CLI to restrict Docker access
🧯 If You Can't Patch
- Disable Docker service if not required for operations
- Implement strict access controls to limit which users can interact with Docker containers
🔍 How to Verify
Check if Vulnerable:
Check if Docker is enabled: 'show configuration system services docker' and check version: 'show version'Check Version:
show versionVerify Fix Applied:
Verify version is patched: 'show version' and confirm Docker is either disabled or running on patched version📡 Detection & Monitoring
Log Indicators:
- Unauthorized file copy operations to Docker containers
- Unexpected container starts by administrators
- Suspicious activity from low-privileged users accessing Docker
Network Indicators:
- None - local exploit only
SIEM Query:
Search for Docker container modification events followed by container start events from different user accounts