Proof-of-concept exploit code has been publicly released for vulnerabilities in Juniper SRX firewalls that, when chained, can allow unauthenticated attackers to gain remote code execution in Juniper’s JunOS on unpatched devices.
Juniper disclosed four medium-severity bugs in its EX switches and SRX firewalls and released security patches two weeks ago.
The security flaws were found in the PHP-based J-Web interface that admins can use to manage and configure Juniper devices on their networks.
“With a specific request that doesn’t require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities,” the company said.
“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices.”
watchTowr Labs security researchers have since developed and released a proof-of-concept (PoC) exploit that chains the SRX firewall flaws, a missing authentication for critical function vulnerability (CVE-2023-36846) and a PHP external variable modification bug (CVE-2023-36845).
They also published a technical deep-dive describing their vulnerability analysis and PoC development process.
As they revealed, the CVE-2023-36846 pre-authentication upload flaw allows unauthorized uploading of a PHP file to a restricted directory using randomized names. A PHP config file is also uploaded to load the first file through auto_prepend_file in the second step.
Manipulating HTTP-requested environment variables like PHPRC by exploiting the CVE-2023-36845 bug helps load the config file, triggering the execution of the PHP file uploaded in the first step.
Incoming Juniper firewall attacks likely
While Juniper has not provided any info on active exploitation of the security flaws in the wild, watchTowr Labs expects attackers to soon start targeting Juniper devices left unpatched in widescale attacks.
Admins are urged to apply Juniper’s patches or upgrade JunOS to the latest release or, at least, apply the mitigation measures suggested by the vendor as soon as possible.
“Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation,” the researchers warned.
“Those running an affected device are urged to update to a patched version at their earliest opportunity, and/or to disable access to the J-Web interface if at all possible.”
In June, CISA issued this year’s first binding operational directive (BOD) ordering U.S. federal agencies to secure Internet-exposed or misconfigured networking equipment such as Juniper’s firewall and switch devices within two weeks of discovery.