Warning: Remote Code Execution vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series, POC available, Patch Immediately!
CVE-2023-36844: A PHP External Variable Modification vulnerability
CVE-2023-36845: A PHP External Variable Modification vulnerability
CVE-2023-36846: A Missing Authentication for Critical Function vulnerability
CVE-2023-36847: A Missing Authentication for Critical Function vulnerability
CVE-2023-36851: A Missing Authentication for Critical Function vulnerability
Chaining the listed vulnerabilities results in a combined CVSS 3.1 score of 9.8/10
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-36844
https://nvd.nist.gov/vuln/detail/CVE-2023-36845
https://nvd.nist.gov/vuln/detail/CVE-2023-36846
https://nvd.nist.gov/vuln/detail/CVE-2023-36847
https://nvd.nist.gov/vuln/detail/CVE-2023-36851
Risks
Critical remote code execution (RCE) vulnerabilities have been discovered in Juniper SRX and EX firewalls and switches. Combining the vulnerabilities pose a risk with a CVSS score of 9.8.
Several proof-of-concepts (PoC) exist. On the 8th of November, the Juniper SIRT announced they are aware of the vulnerabilities being exploited in the wild. It is therefore crucial to address this issue promptly, as an infected system could be used as part of a botnet or for ransomware attacks.
The vulnerabilities primarily impact the J-Web component of Junos OS and allows unauthenticated remote attackers to execute arbitrary code. Successful exploitation can lead to a compromise of the system, potentially enabling attackers to gain control.
The vulnerabilities have a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Firewalls and switches are interesting targets to threat actors, it is recommended that organisations take immediate action to mitigate this risk.
Description
This advisory addresses the following vulnerabilities: CVE-2023-36844, CVE-2023-36845, CVE-2023- 36846, CVE-2023-36847 and CVE-2023-36851. All CVE's listed affect J-Web of Juniper Networks Junos OS on EX Series and SRX Series firewalls and switches.
Attackers may use these vulnerabilities to gain unauthorized access and control over sensitive network equipment. This flaw can be exploited remotely by attackers without authentication. While we are not aware of any confirmed active exploits at present, several PoCs have been developed that demonstrate the exploitability of this vulnerability. And the most recent example from Vulncheck (https://vulncheck.com/blog/juniper-cve-2023-36845) shows how an attacker could compromise the system using a curl command.
Targeted Technology: The vulnerability affects the J-Web component of Junos OS, a widely used operating system in network infrastructure. Attackers may target this technology to gain unauthorized access and control over sensitive network equipment. According to a scan performed by Vulncheck around 80% of internet facing devices are vulnerable.
Threat Actors: While there are no specific threat actors identified, it is easy to understand that firewalls and switches are attractive targets for any threat actor to compromise, as they facilitate entry into protected networks.
Impact on CIA Triad:
- Confidentiality: High risk - Successful exploitation may lead to the exposure of sensitive data.
- Integrity: High risk - Attackers can execute arbitrary code, potentially compromising the integrity of the system.
- Availability: High risk - The vulnerability can result in unauthorized access and control over the affected devices, impacting their availability.
Technical details:
- CVE-2023-36844 & CVE-2023-36845 - Improper input validation.
These vulnerabilities allow remote attackers to manipulate application behavior. They result from inadequate validation of user-supplied input in J-Web, enabling remote attackers to modify specific PHP environment variables and alter the application's behavior. Successful exploitation of these vulnerabilities can lead to remote code execution.
- CVE-2023-36846, CVE-2023-36847 & CVE-2023-36851 - Unrestricted upload of file with dangerous type vulnerabilities.
These vulnerabilities grant remote attackers the ability to compromise the targeted system. The vulnerabilities exist due to missing authentication when uploading files via J-Web. A remote non-authenticated attacker can upload a malicious file and execute it on the system. Successful exploitation of the vulnerability may result in system compromise.
Recommended Actions
To mitigate the risks associated with these vulnerabilities, the Centre for Cyber Security Belgium strongly recommends system administrators to take the following actions:
- Vulnerability Assessment: Verify whether your Juniper SRX firewall or EX switch is vulnerable to any of the listed CVE's. This can be done by reviewing Juniper's official security advisory.
- Patch and Update: Apply the necessary security patches and updates provided by Juniper Networks promptly. Ensure that your devices are running the latest, patched firmware to eliminate the vulnerability. Additionally, it is recommended to assess whether the J-Web component is essential for your network operations. If it is not required, disable it entirely to reduce the attack surface. Alternatively, if J- Web functionality is needed, limit access to only trusted hosts to further enhance security.
- Additional security Controls: Implement additional security controls such as multi-factor authentication.
- Monitoring: You can check the logs to detect any signs of compromise, but keep in mind that a skillful attacker will be careful not to leave any traces. If you had an unpatched device, it is best to continuously monitor your network for any signs of compromise or unusual activity.
References
https://vulncheck.com/blog/juniper-cve-2023-36845
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/