An overwhelming majority of Juniper’s SRX firewalls and EX Series switches [2], totaling close to 12,000 devices, have been found to be vulnerable to a recently disclosed remote code execution flaw [1] [4] [7], known as CVE-2023-36845 [1] [4] [6].
Description
This vulnerability [1] [4] [5] [6], known as CVE-2023-36845 [1] [4] [6], allows an unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system [1] [3] [5] [6] [7]. VulnCheck researchers discovered this vulnerability in internet-exposed devices and identified them as being at risk. It is a medium-severity vulnerability in the J-Web component of Junos OS [1], which can be exploited by manipulating certain environment variables. Approximately 80% of the affected internet-facing firewalls remain unpatched [5], highlighting the importance of applying the necessary fixes to mitigate potential threats [1] [3] [6]. Juniper Networks has released a patch for this vulnerability [6], along with three others [1] [6], in an out-of-cycle update [1] [6]. Additionally, a new exploit has been discovered that only relies on CVE-2023-36845 and can be executed using a single cURL command [6]. This exploit takes advantage of PHP’s autoprependfile and allowurlinclude options to achieve arbitrary code execution [6]. While Juniper has not observed any successful exploits against its customers [3] [6], it has detected attempts to exploit this vulnerability in the wild. To assist in identifying vulnerable firewalls, VulnCheck has released a vulnerability scanner [5]. Despite the availability of a patch, approximately 79% of public-facing firewalls and switches have not been updated [2], leaving them susceptible to potential issues such as malware deployment.
Conclusion
The discovery of this vulnerability in a large number of Juniper firewalls and switches highlights the need for prompt action to address the issue. With the availability of a patch, it is crucial for organizations to update their devices to mitigate potential threats. Failure to do so leaves these devices vulnerable to attacks, including the deployment of malware. The ongoing attempts to exploit this vulnerability further emphasize the importance of taking proactive measures to protect against potential security breaches.
References
[1] https://www.redpacketsecurity.com/nearly-juniper-firewalls-found-vulnerable-to-recently-disclosed-rce-vulnerability/
[2] https://www.techradar.com/pro/security/thousands-of-juniper-firewalls-are-open-to-serious-attack
[3] https://cyber.vumetric.com/security-news/2023/09/19/nearly-12000-juniper-firewalls-found-vulnerable-to-recently-disclosed-rce-vulnerability/
[4] https://allinfosecnews.com/item/12000-juniper-srx-firewalls-and-ex-switches-vulnerable-to-cve-2023-36845-2023-09-19/
[5] https://vulncheck.com/blog/juniper-cve-2023-36845/
[6] https://thehackernews.com/2023/09/over-12000-juniper-firewalls-found.html
[7] https://gixtools.net/2023/09/over-12000-juniper-firewalls-found-vulnerable-to-recently-disclosed-rce-vulnerability/
