Menace intelligence agency VulnCheck has printed particulars on a brand new exploit focusing on a current Junos OS vulnerability and says that hundreds of Juniper Networks home equipment that haven’t been patched are in danger.
The flaw, tracked as CVE-2023-36845, is described as a PHP atmosphere variable manipulation challenge within the J-Net interface of Juniper’s SRX collection firewalls and EX collection switches operating particular Junos OS variations.
In mid-August, the networking home equipment maker launched patches for this bug and three different medium-severity points, warning that an attacker may chain them to realize distant code execution (RCE) on a weak gadget, and that the exploit chain needs to be thought-about as having a ‘essential severity’ score.
Roughly one week after Juniper’s patches and following the discharge of a proof-of-concept (PoC) exploit chaining two of the vulnerabilities, the primary malicious assaults focusing on the issues have been noticed.
Now, VulnCheck says it has developed a brand new exploit that targets CVE-2023-36845 solely, and which ends up in RCE with out chaining with different bugs.
What’s extra, the risk intelligence agency says that the exploit permits an unauthenticated attacker to execute code with out making a file on the weak Juniper equipment’s system, and that many of the internet-exposed Juniper units stay weak, as they haven’t been patched but.
In devising the fileless assault, VulnCheck used as a analysis base the beforehand launched PoC exploit, which relied on importing two recordsdata to the weak equipment to realize RCE.
VulnCheck found that it may leak delicate data and obtain distant code execution through an HTTP request, by abusing reputable FreeBSD features (the weak units run FreeBSD) and with out dropping a single file on the system.
“Similar to that, by solely utilizing CVE-2023-36845, we’ve achieved unauthenticated and distant code execution with out truly dropping a file on disk. Our personal exploit establishes a reverse shell, however that’s fairly trivial when you’ve reached this level,” VulnCheck notes.
To verify the variety of doubtlessly affected units which might be uncovered to the web, VulnCheck carried out a Shodan search, which returned roughly 15,000 outcomes. An evaluation of roughly 3,000 of those units confirmed that 79% will not be patched in opposition to CVE-2023-36845.
“Firewalls are fascinating targets to APT as they assist bridge into the protected community and may function helpful hosts for [command-and-control] infrastructure. Anybody who has an unpatched Juniper firewall ought to look at it for indicators of compromise,” VulnCheck notes.
