Juniper Junos OS Pre-Auth RCE (JSA72300)

#TRUSTED 5392abdb5acc5dea5d829c9ad1d3979d8a145bcddef4e018aae7a90c84d6b61c18bca64e5b5c84c0ac6405832b4fe67f14ad0995dd8580385e60075a50a59b646e9fdae43a54eef7ab5048e49bb568820a52731cf5b7b5de9ac30efe85ca2a86621f3bd065e5ff760fb1180a4369687690c8b327d2a6807c882dba4836c8b5cf35f8520d96313dd5750a328b07c4c91e5b85895b08f10e671d417e5568072fdc769393386a9f12cb7dc35f2d876839f0d4797a3e9fc65da9b7231583036f08276a8019d69914f38df6de06aa8b8e6904cbcdc251570396a8285df69643bb3fa58059c7729cce3fd10f7bdf1ed12741eda4d580d5b6b3687ea5984ffe1edfb23ac0a5de134272431bae52dedb4a2eb11ff2e85c08547ced50456d1c08cecdbad0fd72afcb9f4b0a24845bfd14cc25384d3f033d842bdbe3f322408aa82abee2929dcfd203e6af628868bc3ce368ea888cafb0519a2580f17d4725961cccd4217309c688b39be8420b4e04eae19e4eb89f57aeb3453113b7edb1f110a837c78b213727de2bff0e204ac192409d02ab366d6c5d199132811ca2dd6b4f33305e722051cf530e34524562fbf279cab9a3608a63a870bc434cf17f4c56acebe8e7d6c8ee6fa3236074ca307b3f72c8046fc93f9ee0bce6b13db04f0c2e6a9b503b4ed0d645504cc5ecd4fd188996e43b250dc06404a5905d49e7a5b5409653668dd554
#TRUST-RSA-SHA256 a04fff613559d92636eb29ca02843953275f83643d780c95e4719a577e8ac71ccd2c04f5a4d50526e8d34ca913bb4c83ed45369b9953646a1340d9d87238529673bdd96b2505bd98694f614152af97a267da51df6f87635bcefce69dadb0d01c17660f2433116be6861356cc4bc68d12f13a80b5a4d1c12337b24e0c402fb6f8854eb13d9357dc7febebd9be909d86fe02628d5b0f958b8c9d0315aa386ab409e80d5335b3f4441e9d712ec83962321d9a323a1b4e85edf6f562020b7a7596d432396d35fb5a8d40359df769a0b8abaa61213f8c7234a6155bc023d626f6db7939f2203ed58bcd4b935c2b90c0f34355a103efbca03302ba268171fd1564e79320bc83c54595077b40e7e35199a82a51561b86fa6b91c8a8e6d03ac14e318167c7bac260f3d8094f692c9ba0d521762410062917585ecb772bc1a9277229fc67ac105ab4ccad22ad6af0732b1a1077139c086750ca480caf39f355ee06d185c0a4a18b5002f39c890f9679070420562e84d555879238a291178301b67e54ee8432d74dab990a4409e5a9f9e6592318e0e376629adb4b006f1ddd570fceb7fcd0bc4ce54fba8246b493a4ba058e220d25f39e170589d6ccefa66a41fa921085b47dcc3b6e6098f1dc1654805f8b668f9adcc07458296a1e93fbe001332e7a875c874ee1ec7c1fc3ca35850f6c4043a4a5f24a1f104dbd37f2931eebe8babad63e
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(180190);
  script_version("1.10");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/25");

  script_cve_id(
    "CVE-2023-36844",
    "CVE-2023-36845",
    "CVE-2023-36846",
    "CVE-2023-36847",
    "CVE-2023-36851"
  );
  script_xref(name:"JSA", value:"JSA72300");
  script_xref(name:"CEA-ID", value:"CEA-2023-0042");
  script_xref(name:"IAVA", value:"2023-A-0465");
  script_xref(name:"IAVA", value:"2023-A-0433-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/11/17");

  script_name(english:"Juniper Junos OS Pre-Auth RCE (JSA72300)");

  script_set_attribute(attribute:"synopsis", value:
"The remote device is missing a vendor-supplied security patch.");
  script_set_attribute(attribute:"description", value:
"The version of Junos OS installed on the remote host is affected by multiple vulnerabilities as referenced in the
JSA72300 advisory.

  - A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX and SRX Series
    allows an unauthenticated, network-based attacker to control certain, important environments variables.
    Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to
    partial loss of integrity, which may allow chaining to other vulnerabilities. (CVE-2023-36844, CVE-2023-36845)

  - A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX and SRX Series
    allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity.
    With a specific request that doesn't require authentication an attacker is able to upload arbitrary files
    via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining
    to other vulnerabilities. (CVE-2023-36846, CVE-2023-36847)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?752ef07a");
  # https://juniper.lightning.force.com/articles/Knowledge/Overview-of-the-Juniper-Networks-SIRT-Quarterly-Security-Bulletin-Publication-Process
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?00a9cacd");
  # https://juniper.lightning.force.com/articles/Knowledge/In-which-releases-are-vulnerabilities-fixed
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?812ee185");
  # https://juniper.lightning.force.com/articles/Knowledge/Common-Vulnerability-Scoring-System-CVSS-and-Juniper-s-Security-Advisories
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d0ab70e2");
  script_set_attribute(attribute:"solution", value:
"Apply the relevant Junos software release referenced in Juniper advisory JSA72300");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-36845");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Junos OS PHPRC Environment Variable Manipulation RCE');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/08/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/25");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:juniper:junos");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Junos Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("junos_version.nasl");
  script_require_keys("Host/Juniper/JUNOS/Version", "Host/Juniper/model");

  exit(0);
}

include('junos.inc');

var model = get_kb_item_or_exit('Host/Juniper/model');
if (model !~ "^(EX|SRX)")
{
  audit(AUDIT_DEVICE_NOT_VULN, model);
}

var ver = get_kb_item_or_exit('Host/Juniper/JUNOS/Version');

var vuln_ranges = [
  {'min_ver':'0.0', 'fixed_ver':'20.4R3-S8'},
  {'min_ver':'21.1', 'fixed_ver':'21.2R3-S6'},
  {'min_ver':'21.3', 'fixed_ver':'21.3R3-S5'},
  {'min_ver':'21.4', 'fixed_ver':'21.4R3-S4', 'model':'^EX'},
  {'min_ver':'21.4', 'fixed_ver':'21.4R3-S5', 'model':'^SRX'},
  {'min_ver':'22.1', 'fixed_ver':'22.1R3-S3'},
  {'min_ver':'22.2', 'fixed_ver':'22.2R3-S1', 'model':'^EX'},
  {'min_ver':'22.2', 'fixed_ver':'22.2R3-S2', 'model':'^SRX'},
  {'min_ver':'22.3', 'fixed_ver':'22.3R2-S2', 'fixed_display':'22.3R2-S2, 22.3R3'},
  {'min_ver':'22.4', 'fixed_ver':'22.4R2-S1', 'fixed_display':'22.4R2-S1, 22.4R3'}
];

var fix = junos_compare_range(target_version:ver, vuln_ranges:vuln_ranges);
if (empty_or_null(fix)) audit(AUDIT_INST_VER_NOT_VULN, 'Junos OS', ver);
var report = get_report(ver:ver, fix:fix);
security_report_v4(severity:SECURITY_HOLE, port:0, extra:report);