CVE-2015-3006

Published: Feb 28, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability.

Affected (14)

Products: Juniper: Junos

Juniper

1 product

Junos

Configuration A

14 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Juniper Junos	Version 12.2x50 d10
Juniper Junos	Version 12.2x50 d20
Juniper Junos	Version 12.2x50 d41.1
Juniper Junos	Version 12.2x50 d42.1
Juniper Junos	Version 12.2x50 d56.1
Juniper Junos	Version 13.1x50 d10
Juniper Junos	Version 13.1x50 d25
Juniper Junos	Version 13.2x51 d15
Juniper Junos	Version 13.2x51 d20.2
Juniper Junos	Version 13.2x51 d20
Juniper Junos	Version 13.2x51 d21
Juniper Junos	Version 13.2x52 d10
Juniper Junos	Version 13.2x52 d5
Juniper Junos	Version 14.1x53

Running on/with	Platform Versions
Juniper Qfx3500	All versions
Juniper Qfx3600	All versions

Related CWEs

CWE-331

Insufficient Entropy

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

References (2)

https://kb.juniper.net/JSA10678

Source: cve@mitre.org

Vendor Advisory

https://kb.juniper.net/JSA10678

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.