CVE-2023-36844

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environment variables.

Using a crafted request an attacker is able to modify

certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:

• All versions prior to 20.4R3-S9;

• 21.1 versions 21.1R1 and later;

• 21.2 versions prior to 21.2R3-S7;

• 21.3 versions

prior to

21.3R3-S5;

• 21.4 versions

prior to

21.4R3-S5;

• 22.1 versions

prior to

22.1R3-S4;

• 22.2 versions

prior to

22.2R3-S2;

• 22.3 versions

prior to 22.3R3-S1;

• 22.4 versions

prior to

22.4R2-S2, 22.4R3;

• 23.2 versions prior to

23.2R1-S1, 23.2R2.

Recent assessments:

rbowes-r7 at September 21, 2023 10:12pm UTC reported:

The work done by watchTowr and later VulnCheck is super cool, and outlines different great ways to exploit the vulnerability (we based the Rapid7 Analysis on watchTowr’s). Neither of them mention something sorta-important: all the known exploits land you in a super-restrictive BSD jail with no meaningful OS access.

The application running in the jail has access to configure the system, so presumably there’s a path from the jail to the OS, but to my knowledge nobody has done much yet. In our analysis, we showed how you could steal an admin session then change the system’s password, but surely there are better avenues waiting to be found!

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2