Juniper warns: Borked upgrade opens root on firewalls
Turn it off and turn it back on again. No, really
Juniper is warning users of its SRX firewalls that a borked upgrade leaves a root-level account open to the world.
Any users who issued the "
request system software" command with the "
partition" option are affected by the bug.
In its first advisory for 2017, the Gin Palace explains the failed upgrade “can leave the system in a state where root CLI login is allowed without a password”. It applies to any system upgraded from Junos OS prior to 12.1X46-D65.
When the upgrade failed, the system reverted to a “safe mode” designed to make sure a sysadmin can get into the system to fix it – but in that mode, the only login available is root without a password. Other previously-valid authentication credentials are wiped.
You may want to take a deep breath before reading the next bit: “Upgrading from an affected release to a fixed release will not resolve this issue.”
The good news: “the symptoms are immediately obvious after an affected upgrade and may be remediated by rebooting the device post-upgrade”.
In other words, try turning it off, and turning it back on again. ®