Networking {hardware} firm Juniper Networks has launched an “out-of-cycle” security replace to deal with a number of flaws within the J-Internet part of Junos OS that could possibly be mixed to realize distant code execution on prone installations.
The 4 vulnerabilities have a cumulative CVSS score of 9.8, making them Vital in severity. They have an effect on all variations of Junos OS on SRX and EX Sequence.
“By chaining exploitation of those vulnerabilities, an unauthenticated, network-based attacker might be able to remotely execute code on the gadgets,” the corporate mentioned in an advisory launched on August 17, 2023.
The J-Internet interface permits customers to configure, handle, and monitor Junos OS gadgets. A quick description of the failings is as follows –
- CVE-2023-36844 and CVE-2023-36845 (CVSS scores: 5.3) – Two PHP exterior variable modification vulnerabilities in J-Internet of Juniper Networks Junos OS on EX Sequence and SRX Sequence permits an unauthenticated, network-based attacker to manage sure, vital environments variables.
- CVE-2023-36846 and CVE-2023-36847 (CVSS scores: 5.3) – Two lacking authentications for vital operate vulnerabilities in Juniper Networks Junos OS on EX Sequence and SRX Sequence permit an unauthenticated, network-based attacker to trigger restricted impression to the file system integrity.
A menace actor may ship a specifically crafted request to switch sure PHP surroundings variables or add arbitrary recordsdata by way of J-Internet sans any authentication to efficiently exploit the aforementioned points.
The vulnerabilities have been addressed within the beneath variations –
- EX Sequence – Junos OS variations 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
- SRX Sequence – Junos OS variations 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
Customers are really useful to use the mandatory fixes to mitigate potential distant code execution threats. As a workaround, Juniper Networks is suggesting that customers both disable J-Internet or restrict entry to solely trusted hosts.
PoC Exploit Launched
Proof-of-concept (PoC) exploit code has been launched for a number of security flaws in Juniper SRX firewalls that, when chained, can permit unauthenticated attackers to achieve distant code execution on unpatched gadgets.
The PoC, printed by watchTowr, combines CVE-2023-36846 and CVE-2023-36845 to add a PHP file containing malicious shellcode and obtain code execution by injecting the PHPRC surroundings variable to level to a configuration file with a purpose to load the booby-trapped PHP script.
“That is an fascinating bug chain, using two bugs that may be near-useless in isolation and mixing them for a ‘world ending’ unauthenticated RCE,” the corporate mentioned.
