Lucene search

K
attackerkbAttackerKBAKB:0B2DEA82-5AC6-4D26-AC77-81A86FFE9F73
HistorySep 06, 2023 - 12:00 a.m.

CVE-2023-36844

2023-09-0600:00:00
attackerkb.com
39
juniper networks
junos os
unauthenticated attacker
php
environment variables
integrity loss
vulnerability chaining
security advisory
cve-2023-36844
ex series
network-based attack
vulnerability exploitation
versions affected
remote code execution
bsd jail
admin session theft

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.967 High

EPSS

Percentile

99.6%

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables.

Utilizing a crafted request an attacker is able to modify

certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
This issue affects Juniper Networks Junos OS on EX Series:

  • All versions prior to 20.4R3-S9;

  • 21.2 versions prior to 21.2R3-S6;

  • 21.3 versions

prior to

21.3R3-S5;

  • 21.4 versions

prior to

21.4R3-S5;

  • 22.1 versions

prior to

22.1R3-S4;

  • 22.2 versions

prior to

22.2R3-S2;

  • 22.3 versions

prior to 22.3R3-S1;

  • 22.4 versions

prior to

22.4R2-S2, 22.4R3.

Recent assessments:

rbowes-r7 at September 21, 2023 10:12pm UTC reported:

The work done by watchTowr and later VulnCheck is super cool, and outlines different great ways to exploit the vulnerability (we based the Rapid7 Analysis on watchTowr’s). Neither of them mention something sorta-important: all the known exploits land you in a super-restrictive BSD jail with no meaningful OS access.

The application running in the jail has access to configure the system, so presumably there’s a path from the jail to the OS, but to my knowledge nobody has done much yet. In our analysis, we showed how you could steal an admin session then change the system’s password, but surely there are better avenues waiting to be found!

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.967 High

EPSS

Percentile

99.6%