Security News > 2023 > August > PoC for no-auth RCE on Juniper firewalls released

PoC for no-auth RCE on Juniper firewalls released
2023-08-28 10:20

Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks' SRX firewalls and EX switches that could allow remote code execution, as well as a proof-of-concept exploit.

Earlier this month, Juniper Networks published an out-of-cycle security bulletin notifying customers using its SRX firewalls and EX switches of vulnerabilities that, chained together, would allow attackers to remotely execute code on vulnerable appliances.

Juniper urged customers to either update their appliances to a version of Junos OS that features patches for these flaws or to disable or limit access to the J-Web UI. They also noted that the vulnerabilities had been reported to them by security researchers - there was no mention of the vulnerabilities being under active exploitation.

Exploiting CVE-2023-36846 to upload an arbitrary PHP file was relatively easy but running it was more difficult.

"We can use our first bug to upload our own configuration file, and use PHPRC to point PHP at it. The PHP runtime will then duly load our file, which then contains an auto prepend file entry, specifying a second file, also uploaded using our first bug. This second file contains normal PHP code, which is then executed by the PHP runtime before any other code."

Specific error messages in PHP log files on the appliance may point to anonymous access without a valid session or attempted actions via an API endpoint without supplying authentication information, they pointed out.


News URL

https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-08-17 CVE-2023-36846 Missing Authentication for Critical Function vulnerability in Juniper Junos
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.
network
low complexity
juniper CWE-306
5.3

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Juniper 220 108 436 234 44 822