Security News > 2023 > September > Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
New research has found that close to 12,000 internet-exposed Juniper firewall devices are vulnerable to a recently disclosed remote code execution flaw.
VulnCheck, which discovered a new exploit for CVE-2023-36845, said it could be exploited by an "Unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system."
A subsequent proof-of-concept exploit devised by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode and achieve code execution.
Arbitrary code execution is then achieved by leveraging PHP's auto prepend file and allow url include options in conjunction with the data:// protocol wrapper.
"Anyone who has an unpatched Juniper firewall should examine it for signs of compromise."
Juniper has since disclosed that it's not aware of a successful exploit against its customers, but warned that it has detected exploitation attempts in the wild, making it imperative that users apply the necessary fixes to mitigate potential threats.
- Juniper Networks fixes flaws leading to RCE in firewalls and switches (source)
- PoC for no-auth RCE on Juniper firewalls released (source)
- Exploit released for Juniper firewall bugs allowing RCE attacks (source)
- Week in review: 11 search engines for cybersecurity research, PoC for RCE in Juniper firewall released (source)
- Hackers exploit critical Juniper RCE bug chain after PoC release (source)
- Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits (source)
- Kubernetes vulnerability allows RCE on Windows endpoints (CVE-2023-3676) (source)
- Thousands of Juniper devices vulnerable to unauthenticated RCE flaw (source)
- Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all (source)
|2023-08-17||CVE-2023-36846|| Missing Authentication for Critical Function vulnerability in Juniper Junos |
A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.
| 5.3 |
|2023-08-17||CVE-2023-36845|| PHP External Variable Modification vulnerability in Juniper Junos |
A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.
| 5.3 |