Hackers have begun exploiting just lately patched vulnerabilities in Juniper Networks firewalls that may be chained collectively to realize distant code execution. Exploit particulars and a proof-of-concept have been launched late final week by a group of security researchers.
“That is an attention-grabbing bug chain, using two bugs that might be near-useless in isolation and mixing them for a ‘world ending’ unauthenticated RCE,” researchers from security agency watchTowr mentioned of their detailed evaluation. “These working an affected machine are urged to replace to a patched model at their earliest alternative, and/or to disable entry to the J-Net interface if in any respect potential.”
4 Juniper bugs however solely two wanted
On August 18, Juniper patched 4 vulnerabilities in its SRX Sequence and EX Sequence firewalls. The issues are within the J-Net part of Junos OS, the working system of Juniper firewall units, and are all rated 5.3 out of 10 on the CVSS scale. This interprets to a criticality of medium, which is usually handled with decrease precedence in patching cycles. Nevertheless, on this explicit case, a number of the vulnerabilities will be chained collectively to realize distant code execution with out authentication, which Juniper clearly warns in its advisory.
Two flaws, CVE-2023-36846 and CVE-2023-36847, are comparable and permit an unauthenticated attacker to ship specifically crafted requests to a tool that might enable them to add arbitrary recordsdata by way of J-Net to the file system. The opposite two flaws CVE-2023-36844 and CVE-2023-36845, are additionally comparable to one another and each enable an unauthenticated attacker to switch sure PHP environments variables.
Following Juniper’s advisory, researchers from watchTowr have been intrigued in regards to the risk to chain these flaws so got down to examine them. It seems that solely two are wanted to realize the assault, one file add and an atmosphere variable modification.
First, they discovered the CVE-2023-36846 vulnerability by trying on the inner capabilities of the J-Net interface, which is a PHP software. They positioned one referred to as do_upload that handles the add of recordsdata and instantly seen that it lacked an authentication verify. Subsequently, exploitation was simple, however the add file was positioned in a tmp folder and it appeared that the net server itself was working as a jailed course of.
