Recent developments have shown that hackers have started exploiting recently patched vulnerabilities in Juniper Networks firewalls. These vulnerabilities can be chained together to achieve remote code execution. A team of security researchers released exploit details and a proof-of-concept for these vulnerabilities, highlighting the seriousness of the issue.
According to the researchers from security firm watchTowr, these vulnerabilities, when combined, can lead to a “world ending” unauthenticated remote code execution. They emphasize that users of affected devices should update to the patched version as soon as possible. Additionally, they recommend disabling access to the J-Web interface if feasible.
On August 18, Juniper took action and patched four vulnerabilities in its SRX Series and EX Series firewalls. These vulnerabilities specifically affect the J-Web component of Junos OS, which is the operating system used in Juniper firewall devices. The severity of these vulnerabilities is rated as medium, with a CVSS score of 5.3 out of 10. Typically, medium severity flaws receive lower priority in patching cycles. However, in this case, combining some of these vulnerabilities allows for remote code execution without authentication, as Juniper warns in its advisory.
Of the four vulnerabilities, two are particularly similar: CVE-2023-36846 and CVE-2023-36847. These flaws enable unauthenticated attackers to send specially crafted requests to a device, allowing them to upload arbitrary files via J-Web to the file system. The other two vulnerabilities, CVE-2023-36844 and CVE-2023-36845, also share similarities and enable unauthenticated attackers to modify certain PHP environment variables.
After receiving Juniper’s advisory, the watchTowr researchers were intrigued by the possibility of chaining these vulnerabilities together. They decided to investigate further and discovered that only two of the vulnerabilities were necessary to execute the attack: a file upload vulnerability and an environment variable modification vulnerability.
Their investigation focused on the J-Web interface, which is a PHP application. By examining the internal functions of the J-Web interface, they identified a function called “do_upload” that handles file uploads. To their surprise, they found that this function lacked an authentication check, making exploitation relatively straightforward. However, they observed that the uploaded file was placed in a temporary folder and that the web server was running as a jailed process.
While the researchers have provided valuable insights into the exploitation of these vulnerabilities, it is crucial for Juniper users to take immediate action to mitigate the risk. Updating to the patched version is highly recommended. Additionally, if possible, disabling access to the J-Web interface can further enhance the security posture.
It is important to note that vulnerabilities in critical network infrastructure like firewalls can have severe consequences if left unpatched or unaddressed. They can provide attackers with unauthorized access to sensitive systems or enable them to execute malicious code remotely. Therefore, organizations should prioritize the implementation of security patches and regularly monitor for any potential vulnerabilities in their network infrastructure. By doing so, they can significantly reduce their risk exposure and safeguard their critical assets.