CVE-2023-28971 – This vulnerability allows attackers to bypass f... (How to Fix)

Q: What is the severity of CVE-2023-28971?

CVE-2023-28971 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers to bypass firewall rules that restrict communication between Test Agents and the Control Center in Juniper Paragon Active Assurance on-prem deployments. When the optional timescaledb container is started, it creates unintended network routes that enable unauthorized communication between Test Agents. Only customers hosting their own on-prem Control Center with timescaledb enabled are affected.

📋 TL;DR

This vulnerability allows attackers to bypass firewall rules that restrict communication between Test Agents and the Control Center in Juniper Paragon Active Assurance on-prem deployments. When the optional timescaledb container is started, it creates unintended network routes that enable unauthorized communication between Test Agents. Only customers hosting their own on-prem Control Center with timescaledb enabled are affected.

💻 Affected Systems

Products:

Juniper Networks Paragon Active Assurance (PAA) (formerly Netrounds)

Versions: All on-prem versions prior to 4.1.2

Operating Systems: Not OS-specific - affects the PAA application deployment

Default Config Vulnerable: ✅ No

Notes: Only affects on-prem deployments with the optional timescaledb feature enabled. SaaS deployments are not affected.

📦 What is this software?

Paragon Active Assurance by Juniper

View all CVEs affecting Paragon Active Assurance →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could pivot between Test Agents to access restricted internal services, potentially leading to lateral movement, data exfiltration, or disruption of testing operations.

🟠

Likely Case

Unauthorized communication between Test Agents allowing bypass of intended network segmentation and security controls.

🟢

If Mitigated

Limited impact if proper network segmentation and additional firewall rules are in place beyond the vulnerable system's controls.

🌐 Internet-Facing: LOW - This vulnerability primarily affects internal network communications within the PAA deployment.

🏢 Internal Only: HIGH - The bypass of internal firewall rules allows unauthorized communication between Test Agents within the deployment.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - The vulnerability is triggered by starting the timescaledb container, which automatically creates the bypass condition.

Exploitation requires access to the internal network where Test Agents operate and knowledge of the timescaledb feature's impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.2

Vendor Advisory: https://supportportal.juniper.net/JSA70595

Restart Required: Yes

Instructions:

1. Upgrade Paragon Active Assurance Control Center to version 4.1.2 or later. 2. Restart the Control Center services. 3. Verify that timescaledb container no longer creates unintended network routes.

🔧 Temporary Workarounds

Disable timescaledb container

linux

Stop and disable the optional timescaledb container to prevent the firewall bypass.

docker stop timescaledb
docker rm timescaledb
systemctl disable timescaledb.service

Implement additional firewall rules

linux

Add explicit firewall rules to block communication between Test Agents (100.70.0.0/16 range) beyond intended services.

iptables -A FORWARD -s 100.70.0.0/16 -d 100.70.0.0/16 -j DROP

🧯 If You Can't Patch

Disable the timescaledb feature if not required for operations
Implement network segmentation and additional firewall rules to restrict Test Agent communications

🔍 How to Verify

Check if Vulnerable:

Check if running PAA version prior to 4.1.2 and if timescaledb container is running: docker ps | grep timescaledb

Check Version:

Check PAA Control Center version in web interface or application logs

Verify Fix Applied:

Verify PAA version is 4.1.2 or later and test that Test Agents cannot communicate directly with each other beyond intended services.

📡 Detection & Monitoring

Log Indicators:

Unexpected network connections between Test Agent IPs (100.70.x.x)
Timescaledb container startup logs
Firewall rule bypass events

Network Indicators:

Unauthorized traffic between 100.70.0.0/16 addresses
Test Agents communicating on unexpected ports

SIEM Query:

source_ip IN (100.70.0.0/16) AND dest_ip IN (100.70.0.0/16) AND NOT dest_port IN (allowed_ports)

📊 Metadata

CVE ID: CVE-2023-28971

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-923

Published: April 17, 2023

Last Updated: November 21, 2024

🔗 References

https://supportportal.juniper.net/JSA70595 Mitigation,Vendor Advisory
https://supportportal.juniper.net/JSA70595 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28971, you might also want to check these: