Users of Juniper Networks SRX series firewalls and EX series switches are being warned to patch four different vulnerabilities affecting the Junos operating system (OS) as a matter of urgency after exploitation was detected in the wild.
Juniper disclosed the vulnerabilities on 17 August 2023, and issued patches for each of them. Left unaddressed, an unauthenticated, network-based threat actor could chain them to achieve remote code execution (RCE) on the victims’ systems.
Since then, multiple researchers have been examining the vulnerabilities, and the team at WatchTowr demonstrated a proof of concept exploit on 25 August.
“This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a ‘world-ending’ unauthenticated RCE,” wrote the WatchTowr team. “Given the simplicity of exploitation and the privileged position that Junos devices hold in a network, we would not be surprised to see large-scale exploitation.”
Unfortunately for Juniper customers, others have since confirmed this is indeed the case, with Shadowserver saying it had seen exploitation attempts from multiple IPs, beginning on 25 August following WatchTowr’s disclosures.
Researchers at Rapid7 have also confirmed exploitation in the wild. Rapid7’s Ron Bowes wrote: “Juniper software is widely deployed, and Shodan shows around 10,000 devices facing the internet, although we can’t say with certainty how many are vulnerable.
“The affected Juniper service is J-Web, which is enabled by default on ports 80 and 443. The CVEs from Juniper are ranked as CVSS 5.3, but the advisory shows a combined CVSS score of 9.8. This sends a mixed message that might confuse users into thinking the impact of the flaws is of only moderate severity, which it is not.”
The four vulnerabilities are as follows. Note that although there are four listed, only two need to be chained to achieve the needed effect.
- CVE-2023-36844: A PHP external variable modification vulnerability in the J-Web management interface of Junos OS on EX series kit, which allows an attacker to use a crafted request to modify certain PHP environment variables. This may allow chaining to other vulnerabilities;
- CVE-2023-36845: A second PHP external variable modification vulnerability affecting Junos OS on both EX and SRX series hardware, with the same impact as the first;
- CVE-2023-36846: A missing authentication for critical function vulnerability in Junos OS on SRX series devices, which allows an attacker to cause limited impact to the file system integrity by using a specially-crafted request that doesn’t require an authentication to upload arbitrary files via J-Web. This may also allow chaining to other vulnerabilities;
- CVE-2023-36847: A second missing authentication for critical function vulnerability affecting Junos OS on EX series devices, with the same impact as the third.
Bowes said the attack chain does not allow for operating system-level RCE, but instead RCE in a BSD jail – a pared-back environment designed to run a single application, in this instance the HTTP server, which have their own set of users and a root account limited to the jail environment. This would not, however, make it of any less concern.
“While the issue is on the management interface, these devices tend to have privileged access to corporate networks, and even with code execution restricted to a BSD jail, successful exploitation would likely provide an opportunity for attackers to pivot to organisations’ internal networks,” he wrote.
As a workaround, for those not able to apply the patches right away, Juniper has advised that users can disable the J-Web functionality, or limit access to only trusted hosts.
Juniper Networks has been contacted for comment.