LiveActive security incident?Get immediate response
CVE Record

CVE-2015-3006: Junos: QFX Series: Insufficient entropy on QFX3500 and QFX3600 platforms when the system boots up

On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Some Juniper QFX3500 and QFX3600 switches could start with too little randomness, causing SSH keys or self-signed TLS certificates generated right after boot to be weak or duplicated. That can undermine device identity and encrypted management trust. The source says only these two switch platforms are affected.

Executive priority

Treat as a targeted network infrastructure trust issue, not a broad emergency. Prioritize if QFX3500 or QFX3600 switches remain in use, especially in management networks where device identity and encrypted administration are relied on.

Technical view

CVE-2015-3006 is an insufficient boot-time entropy issue in Junos on QFX3500 and QFX3600. The RANDOM_INTERRUPT entropy source collects too few bytes during boot, so immediately generated SSH keys or self-signed SSL/TLS certificates may be weak or duplicate. Entropy improves after runtime. CVSS 3.1 is 6.5, with high confidentiality impact.

Likely exposure

Exposure is limited to Juniper QFX3500 and QFX3600 switches, especially where SSH host keys or self-signed SSL/TLS certificates were generated immediately after boot. The source states no other Juniper products or platforms are affected.

Exploitation context

The bundle does not cite active exploitation, and KEV status is false. Practical risk depends on whether affected devices created weak or duplicate cryptographic material during low-entropy boot conditions. The CVSS vector indicates network reachability, low privileges, no user interaction, and high confidentiality impact.

Researcher notes

Evidence is narrow but clear: affected scope is QFX3500 and QFX3600 only, tied to low boot-time entropy and cryptographic material generated immediately after boot. The provided bundle does not include patch versions, exploit reports, or detailed vendor remediation steps.

Mitigation direction

  • Review Juniper JSA10678 for official fixed-release or remediation guidance.
  • Inventory QFX3500 and QFX3600 switches running Junos in the environment.
  • Identify keys or self-signed certificates generated immediately after boot.
  • Plan vendor-approved replacement of suspect SSH keys and self-signed certificates.
  • Confirm no unsupported assumptions are applied to other Juniper platforms.

Validation and detection

  • Confirm whether any QFX3500 or QFX3600 devices are deployed.
  • Check device records for key or certificate generation soon after boot.
  • Look for duplicate SSH host keys across affected switches.
  • Review self-signed certificates for unexpected reuse across devices.
  • Verify remediation decisions against Juniper JSA10678.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2015-3006 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N2.83.6Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2015-3006Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.