Today’s Cybersecurity Threat Advisory involves proof-of-concept exploit code that has been publicly released in Juniper SRX firewalls. Using the proof-of-concept exploit code can allow unauthenticated attackers access to remotely execute code in unpatched Juniper JunOS devices. This news comes after Juniper disclosed four medium-severity bugs in its EX-switches and SRX firewalls two weeks ago and has since released security patches.
What is the threat?
While the vulnerabilities in the EX-switches and SRX firewalls pose little risk on their own, when combined, they enable remote code execution (RCE) on the switch management interfaces, earning this a critical CVSS rating of 9.8. Given the simplicity of the exploitation and the privileged position that JunOS devices hold in a network, large-scale exploitation is a possibility. The four vulnerabilities can be split into two categories: CVE-2023-36846 and CVE-2023-36847, which may allow a critical function (file upload, via the J-Web UI) to be exploited without previous authentication. CVE-2023-36844 and CVE-2023-36845 may allow attackers to modify certain PHP environment variables by specifying the name of an uploaded file.
Why is it noteworthy?
Combining exploitation of these four vulnerabilities allows an unauthorized network-based attacker to remotely execute code on the devices, putting JunOS devices at serious risk. The CVE-2023-36846 pre-authentication upload flaw allows unauthorized uploads of PHP files to restricted directories using randomized names. Manipulating HTTP-requested environment variables like PHPRC helps load the configuration file, triggering the execution of the PHP file uploaded in the previous step.
What is the exposure or risk?
While Juniper has not provided information on active exploitation of these security flaws in the wild, attackers are expected to target unpatched Juniper devices in widescale attacks.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of the JunOS vulnerabilities:
- Apply security patches – Admins should apply Juniper’s patches or upgrade JunOS to the latest release or, at least, apply the mitigation measures suggested by the vendor as soon as possible.
- Ensure backup – Always keep backups handy, especially if you find yourself unable to access your files.
- Limit access – Those with JunOS should disable access to the J-Web interface if possible, or at least limit access to only trusted hosts.
References
For more in-depth information about the recommendations, please visit the following links:
- Researchers demo bug-chaining of Juniper Networks vulnerabilities – Security – iTnews
- PoC for no-auth RCE on Juniper firewalls released – Help Net Security
- Exploit released for Juniper firewall bugs allowing RCE attacks (bleepingcomputer.com)
- 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution (juniper.net)
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.
