Lucene search

K
thnThe Hacker NewsTHN:97873583098877335332CCFF43592CC6
HistoryAug 19, 2023 - 7:38 a.m.

New Juniper Junos OS Flaws Expose Devices to Remote Attacks - Patch Now

2023-08-1907:38:00
The Hacker News
thehackernews.com
41
juniper networks
j-web
vulnerabilities
remote code execution
critical severity
patch
cve-2023-36844
cve-2023-36845
cve-2023-36846
cve-2023-36847
exploit
srx series
ex series
network-based attacker

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.6%

Juniper Junos OS

Networking hardware company Juniper Networks has released an “out-of-cycle” security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations.

The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series.

“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” the company said in an advisory released on August 17, 2023.

Cybersecurity

The J-Web interface allows users to configure, manage, and monitor Junos OS devices. A brief description of the flaws is as follows -

  • CVE-2023-36844 and CVE-2023-36845 (CVSS scores: 5.3) - Two PHP external variable modification vulnerabilities in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables.
  • CVE-2023-36846 and CVE-2023-36847 (CVSS scores: 5.3) - Two missing authentications for critical function vulnerabilities in Juniper Networks Junos OS on EX Series and SRX Series allow an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

A threat actor could send a specially crafted request to modify certain PHP environment variables or upload arbitrary files via J-Web sans any authentication to successfully exploit the aforementioned issues.

Cybersecurity

The vulnerabilities have been addressed in the below versions -

  • EX Series - Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
  • SRX Series - Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1

Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks is suggesting that users either disable J-Web or limit access to only trusted hosts.

PoC Exploit Released

Proof-of-concept (PoC) exploit code has been released for multiple security flaws in Juniper SRX firewalls that, when chained, can allow unauthenticated attackers to gain remote code execution on unpatched devices.

The PoC, published by watchTowr, combines CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution by injecting the PHPRC environment variable to point to a configuration file in order to load the booby-trapped PHP script.

“This is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a ‘world ending’ unauthenticated RCE,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.967 High

EPSS

Percentile

99.6%