If all 64 digits of the connectivity association name (CKN) key or all 32 digits of the connectivity association key (CAK) key are not configured, all remaining digits will be auto-configured to 0. Hence, Juniper devices configured with short MacSec keys are at risk to an increased likelihood that an attacker will discover the secret passphrases configured for these keys through dictionary-based and brute-force-based attacks using spoofed packets. Affected releases are Juniper Networks Junos OS: 14.1 versions prior to 14.1R10, 14.1R9; 14.1X53 versions prior to 14.1X53-D47; 15.1 versions prior to 15.1R4-S9, 15.1R6-S6, 15.1R7; 15.1X49 versions prior to 15.1X49-D100; 15.1X53 versions prior to 15.1X53-D59; 16.1 versions prior to 16.1R3-S8, 16.1R4-S8, 16.1R5; 16.2 versions prior to 16.2R1-S6, 16.2R2; 17.1 versions prior to 17.1R2.
Published 2018-04-11 19:29:01
Updated 2019-10-09 23:31:00
View at NVD,   CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2018-0021

0.07%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 30 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-0021

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.3
LOW AV:A/AC:L/Au:N/C:P/I:N/A:N
6.5
2.9
NIST
8.8
HIGH CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2.8
5.9
NIST
8.8
HIGH CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
2.1
6.0
Juniper Networks, Inc.

References for CVE-2018-0021

  • https://kb.juniper.net/JSA10854
    Juniper Networks - 2018-04 Security Bulletin: Junos OS: Short MacSec keys may allow man-in-the-middle attacks. (CVE-2018-0021)
    Vendor Advisory
  • http://www.securitytracker.com/id/1040789
    Juniper Junos Short MacSec Key Weakness May Let Remote Users Conduct Man-in-the-Middle Attacks to Recover Key Passphrases - SecurityTracker
    Third Party Advisory;VDB Entry

Products affected by CVE-2018-0021

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!