On Aug. 17, Juniper released a security advisory to address two vulnerabilities each in its SRX Series firewalls and EX Series switches. Not an unusual occurrence in and of itself, but two things stood out about the advisory: it was an out-of-cycle release, and none of the vulnerabilities was rated a critical, or even serious, risk.
But, as it turns out, chaining the vulnerabilities together in specific ways can lead to remote code execution on vulnerable devices. And attackers have taken notice, targeting the thousands of vulnerable devices exposed to the Internet. The bugs affect all versions of JunOS on EX and SRX devices.
The main problem lies in the J-Web interface on the firewalls and switches, which is the main web interface for the devices. Specifically, the bug (CVE-2023-36844 and CVE-2023-36845) is in the interface’s PHP code, and an attacker could exploit it to gain control over some variables.
“A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environment variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities,” the Juniper advisory says.
The second part of the issue is an authentication bypass (CVE-2023-36846) that can be combined with the first vulnerability.
“A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities,” the advisory says.
Researchers at watchTowr Labs were able to combine these two vulnerabilities to achieve remote code execution. The research team developed its own exploit, which it has published.
“This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a 'world ending' unauthenticated RCE. While the quality of the code is much aligned with other devices in its class, such as the Fortiguard and Sonicwall devices we've been breaking, it is worth pointing out here that Juniper's use of veriexec was a wise move, as it complicates code and command execution,” the watchTowr researchers said.
“However, it is not enough to prevent determined attackers - watchTowr researchers took around half an hour to circumvent it (and, I'll admit, much longer to realise it was in effect). Those running an affected device are urged to update to a patched version at their earliest opportunity, and/or to disable access to the J-Web interface if at all possible.”
The Shadowserver Foundation has identified more than 8,000 vulnerable Juniper devices exposed to the Internet, and report that they have seen active exploitation attempts from multiple IP addresses in recent days.