Share This:

Cybersecurity Threat AdvisoryToday’s Cybersecurity Threat Advisory involves proof-of-concept exploit code that has been publicly released in Juniper SRX firewalls. Using the proof-of-concept exploit code can allow unauthenticated attackers access to remotely execute code in unpatched Juniper JunOS devices. This news comes after Juniper disclosed four medium-severity bugs in its EX-switches and SRX firewalls two weeks ago and has since released security patches.

What is the threat?

While the vulnerabilities in the EX-switches and SRX firewalls pose little risk on their own, when combined, they enable remote code execution (RCE) on the switch management interfaces, earning this a critical CVSS rating of 9.8. Given the simplicity of the exploitation and the privileged position that JunOS devices hold in a network, large-scale exploitation is a possibility. The four vulnerabilities can be split into two categories: CVE-2023-36846 and CVE-2023-36847, which may allow a critical function (file upload, via the J-Web UI) to be exploited without previous authentication. CVE-2023-36844 and CVE-2023-36845 may allow attackers to modify certain PHP environment variables by specifying the name of an uploaded file.

Why is it noteworthy?

Combining exploitation of these four vulnerabilities allows an unauthorized network-based attacker to remotely execute code on the devices, putting JunOS devices at serious risk. The CVE-2023-36846 pre-authentication upload flaw allows unauthorized uploads of PHP files to restricted directories using randomized names. Manipulating HTTP-requested environment variables like PHPRC helps load the configuration file, triggering the execution of the PHP file uploaded in the previous step.

What is the exposure or risk?

While Juniper has not provided information on active exploitation of these security flaws in the wild, attackers are expected to target unpatched Juniper devices in widescale attacks.

What are the recommendations?

Barracuda MSP recommends the following actions to limit the impact of the JunOS vulnerabilities:

  • Apply security patches – Admins should apply Juniper’s patches or upgrade JunOS to the latest release or, at least, apply the mitigation measures suggested by the vendor as soon as possible.
  • Ensure backup – Always keep backups handy, especially if you find yourself unable to access your files.
  • Limit access – Those with JunOS should disable access to the J-Web interface if possible, or at least limit access to only trusted hosts.

References

For more in-depth information about the recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.


Share This:
Zachary Beaudet

Posted by Zachary Beaudet

Zachary is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Zachary supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *