Juniper web management interface open to RCE

Juniper Networks is warning of four vulnerabilities in two versions of its Junos OS operating system, which can be chained for unauthenticated remote code execution (RCE).

The “out of cycle” bulletin covers Junos OS on SRX and EX systems, and were discovered by an unnamed third party researcher.

The chain comprises four individual vulnerabilities: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847.

On their own, each of these vulnerabilities only rates a CVSS score of 5.3 (medium), but chained, they score 9.8 (critical).

CVE-2023-36844 is a PHP external variable modification vulnerability in the J-Web interface in Junos OS on EX.

It allows the attacker to “control certain, important environment variables”, and with a crafted request, the attacker could chain the bug to other vulnerabilities.

CVE-2023-36845 is a similar PHP bug in Junos OS on SRX systems.

CVE-2023-36846 and CVE-2023-36847 are missing authentication bugs on SRX and EX, respectively: “With a specific request that doesn’t require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.”

Fixes are available for affected versions.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts