Juniper Networks is known to be one of the most established and renowned enterprise suppliers in the security network industry, especially with the Juniper SRX Firewall series being widely recognized as the next-generation firewall. With such a long history, popularity tends to follow naturally, which is why Juniper devices are commonly seen in the in-house networks of companies around the world.
Juniper Networks users employ the dedicated Junos OS’s J-Web to access firewalls and devices. J-Web, a PHP-based web console, is accessible through web browsers. Juniper Networks recently disclosed four vulnerabilities linked to the J-Web platform: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847. While each individual vulnerability has a CVSS score in the 5-point range, a seemingly moderate risk, combining these vulnerabilities can trigger a chain reaction culminating in a Remote Code Execution (RCE) attack. In the CVSSv3 assessment, the aggregated severity score for these vulnerabilities stands at 9.8.
Bug Chain Impacting Juniper Firewalls and Switches
Among the Juniper Networks devices, the EX series refers to switches, and the SRX series refers to firewalls. The vulnerabilities disclosed impact these two platforms as follows:
- CVE-2023-36846 and CVE-2023-36847 (CVSS score: 5.3) – Two authentication bypass vulnerabilities affecting critical features in Juniper Networks Junos OS on EX and SRX series. These vulnerabilities allow an unauthenticated network-based attacker to have limited impact on the system.
- CVE-2023-36844 and CVE-2023-36845 (CVSS score: 5.3) – Two PHP external variable modification vulnerabilities in Juniper Networks Junos OS J-Web on EX and SRX series. These vulnerabilities allow an unauthenticated network-based attacker to take control of certain critical environment variables.
CVE-2023-36846 and CVE-2023-36847 (CVSS score 5.3) are vulnerabilities that allow attackers to upload arbitrary files via J-Web. However, as file uploads occur without causing further issues, it has received a relatively moderate CVSS score of 5.3 points. CVE-2023-36844 and CVE-2023-36845 (CVSS score: 5.3) are vulnerabilities that can modify the external variables of PHP. Similarly, modifying the PHP settings is unlikely to significantly impact the system, resulting in a CVSS score of 5.3 points.
Individual vulnerabilities hold a mid-level score in the 5-point range and do not pose a significant threat as long as they remain independent. However, by exploiting the first vulnerability to upload arbitrary files and then leveraging the second vulnerability to manipulate PHP attributes associated with the uploaded files, a bug chain forms, culminating the potential for RCE effects. Successfully intertwining these flaws would enable attackers to execute code remotely from an unauthorized network environment. This is why the CVSS score for vulnerabilities in the 5-point range has escalated to the 9-point range.
Over 100K Juniper Firewalls Exposed Online
Products from Juniper Networks, including Juniper firewalls, are already significantly exposed on the attack surface.
Searching for the web server title used in Juniper Networks J-Web on Criminal IP’s Asset Search can lead to the detection of servers exposed online.
Search Query: title: Juniper Web Device Manager
The search results reveal that over 190,000 instances of Juniper Networks’ J-Web are exposed online. With the recent disclosure of RCE bug chain exploits, these readily accessible servers now present a heightened risk, positioning them as prime targets for the hackers.
Juniper Networks has been plagued by numerous vulnerabilities in the past, and attackers continue to exploit these weaknesses. Taking advantage of this situation, there are also a considerable number of honeypots impersonating Juniper Networks.
A total of 488 ports are open for the following IP address, including a web daemon disguised as Juniper Networks’ J-Web. (Web console daemons such as Fortinet and Palo Alto are also running on the IP address of this honeypot.)
Addressing RCE Vulnerabilities: Minimizing the Attack Surface as Highlighted by CISA
In June 2023, CISA issued its first Binding Operational Directive (BOD) of the year, ordering federal agencies in the United States to secure Internet-exposed or misconfigured networking equipment, such as Juniper firewalls and switch devices, within two weeks of discovery. CISA has stated that “this directive requires Federal Civilian Executive Branch (FCEB) agencies to take steps to reduce their attack surface created by insecure or misconfigured management interfaces across certain classes of devices.”
In order to prevent Juniper firewall and switch bug chain exploits, one can adhere to CISA’s operational guidelines.
Disabling or restricting access to the active J-Web interface is a key step. To minimize external access, enterprises and organizations should eliminate external Internet exposure points for devices such as firewalls and switches.
It is recommended that users operating the affected devices should prioritize updating to the latest patch version as soon as possible.
Check out our article on the Critical Patch Delay of CVE-2023-27997, With Over 4.6K Vulnerable FortiGate Firewalls.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine.
Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence.
Source: Criminal IP (https://www.criminalip.io/en)
Related Article(s):
Leave a Reply