Security News > 2023 > August > PoC for no-auth RCE on Juniper firewalls released

Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks' SRX firewalls and EX switches that could allow remote code execution, as well as a proof-of-concept exploit.

Earlier this month, Juniper Networks published an out-of-cycle security bulletin notifying customers using its SRX firewalls and EX switches of vulnerabilities that, chained together, would allow attackers to remotely execute code on vulnerable appliances.

Juniper urged customers to either update their appliances to a version of Junos OS that features patches for these flaws or to disable or limit access to the J-Web UI. They also noted that the vulnerabilities had been reported to them by security researchers - there was no mention of the vulnerabilities being under active exploitation.

Exploiting CVE-2023-36846 to upload an arbitrary PHP file was relatively easy but running it was more difficult.

"We can use our first bug to upload our own configuration file, and use PHPRC to point PHP at it. The PHP runtime will then duly load our file, which then contains an auto prepend file entry, specifying a second file, also uploaded using our first bug. This second file contains normal PHP code, which is then executed by the PHP runtime before any other code."

Specific error messages in PHP log files on the appliance may point to anonymous access without a valid session or attempted actions via an API endpoint without supplying authentication information, they pointed out.

News URL

https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/