Tracking News: Juniper Junos Vulnerabilities

5 Known Juniper Junos Vulnerabilities Being Actively Exploited

CISA has added 5 CVEs relating to Juniper Junos (aka Junos OS), to its Known Exploited Vulnerabilities (KEV) catalog. The full exploit chain involves combining several lower-severity CVEs to achieve pre-authentication remote code execution (RCE). The 5 CVEs range in severity from CVSS 9.8 Critical to CVSS 5.3 Medium. Greenbone is equipped with vulnerability tests to identify affected systems.

Understanding the timeline of events should help network defenders grasp how rapidly cyber threats can escalate. In this case a proof-of-concept (PoC) was published just 8 days after the vendor Juniper released its security advisory. Security researchers observed active exploitation just 12 days after the disclosure. Still, it was not until several months later that CISA acknowledged active exploitation. Greenbone Enterprise vulnerability feed added detection tests [1][2] for all impacted versions of the two affected product lines (EX Series Series Ethernet Switches and SRX Series Series Services Gateways) on August 18, 2023, immediately after they were disclosed.

• August 17th, 2023: Juniper released a security advisory for multiple vulnerabilities in Junos OS
• August 18th, 2023: Greenbone added detection tests [1][2] to our Enterprise vulnerability feed
• August 25th, 2023: Proof-of-concept (PoC) exploit code and a full vulnerability assessment were published by watchTowr Labs
• August 29th, 2023: Cyber threat alliance Shadowserver reported observing active exploitation in the wild
• August 31, 2023: Rapid7 threat research reported observing active exploitation in the wild
• October 2, 2023: A new PoC sample was released that does not require file upload
• November 13th, 2023: CISA adds 5 CVEs impacting Juniper Junos to its KEV catalog and set a deadline of November 17, 2023 for government systems to be patched

Here is a brief description of each CVE:

• CVE-2023-36844 (CVSS 5.3 Medium): A PHP External Variable Modification [CWE-473] vulnerability exists in J-Web, a tool used for remote configuration and management of Junos OS. The vulnerability allows an unauthenticated, network-based attacker to modify sensitive PHP environment variables. CVE-2023-36844 allows chaining to other vulnerabilities that lead to unauthenticated RCE.
• CVE-2023-36845 (CVSS 9.8 Critical): A PHP External Variable Modification vulnerability [CWE-473] in J-Web allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request that sets the variable PHPRC an attacker is able to modify the PHP execution environment to inject and execute code.
• CVE-2023-36846 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity with a specific request to user.php via J-Web. Without authentication, an attacker is able to upload arbitrary files [CWE-434] which allows chaining to other vulnerabilities including unauthenticated RCE.
• CVE-2023-36847 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a malicious request to installAppPackage.php via J-Web an attacker is able to upload arbitrary files [CWE-434] without authentication, which may allow chaining to other vulnerabilities that lead to RCE.
• CVE-2023-36851 (CVSS 5.3 Medium): A Missing Authentication for Critical Function [CWE-306] vulnerability in Juniper Networks Junos OS allows an unauthenticated, network-based attacker to impact file system integrity. With a specific request to webauth_operation.php that doesn’t require authentication, an attacker is able to upload arbitrary files via J-Web [CWE-434], leading to a loss of integrity for a certain part of the file system and chaining to other vulnerabilities.

Understanding The Attack Trajectory

Several of the CVEs listed above are classified as Missing Authentication for Critical Function [CWE-306] vulnerabilities meaning that various functions of the J-Web device management web application do not implement proper authentication checks.

Here is a summary of how these vulnerabilities were chained together for unauthenticated RCE:

The J-Web application is written in PHP which, as the watchTowr researchers noted, is known for its usability at the cost of security. In the case of CVE-2023-36846, J-web’s `webauth_operation.php` file implemented a different method for authentication than the rest of the application. This file instead invokes the `sajax_handle_client_request()` function and submits the value of ‘false’ as the `doauth` parameter, resulting in no authentication being performed. The aforementioned `sajax_handle_client_request()` function is designed to execute J-web’s built-in functions by specifying them as a $_POST variable, including the `do_upload()` function, used to upload files.

CVE-2023-36845 is a vulnerability in the Junos web server that allows system environment variables to be set via the `name` field of an HTTP POST request when a`Content-Type: multipart/form-data` header is used. Two exploits matching the description of CVE-2023-36845 were previously disclosed for the GoAhead IoT web server and tracked as CVE-2017-17562 and CVE-2021-42342, indicating that the Junos web server likely implements the GoAhead proprietary web-server.

Executing the uploaded file is possible by setting the PHPRC environment variable, using it to load an unauthorized PHP configuration `php.ini` file also uploaded via CVE-2023-36846 that contains a malicious `auto_prepend_file` setting directing PHP to execute the first uploaded file every time a page is loaded. Here is the complete example chain

Mitigation Of Recent Juniper Junos Vulnerabilities

The 5 new CVEs affect Juniper Networks Junos OS on EX Series Series Ethernet Switches and SRX Series Series Services Gateways. Specifically Junos OS version 20.4 and prior, 21.1, 21.2, 21.3, 21.4, 22.1, 22.2, 22.3, 22.4 and 23.2 on the EX and SRX Series appliances.

The best mitigation option is to install the security patches to Junos OS. If you cannot install the official provided security patches, completely disabling the J-Web interface, or configuring firewalls with an accept list to restrict access to only trusted hosts can prevent exploitation. In general, strictly limiting access to critical servers and network appliances to only client IP addresses that require access can prevent exploitation of similar yet undiscovered remotely exploitable zero-day vulnerabilities.