[CDP-development] TLP:GREEN (Vulnerability Alert Notification) Juniper Junos OS SRX Series and EX Series Multiple Vulnerabilities Could Allow for Remote Code Execution

CSS Security Operations Services * DAS css-soc-services at das.oregon.gov
Mon Nov 13 10:31:18 PST 2023 

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2023-36845 Juniper Junos OS SRX Series and EX Series PHP External Variable Modification Vulnerability as well as four other medium severity Junos OS vulnerabilities.  Due to high visibility, knowledge of the devices installed in the state environment, and active exploitation, we are providing this in-depth information:

History: On August 17, 2023, Juniper Networks released a security bulletin identifying how several vulnerabilities may be chained together for exploitation against their Junos OS SRX and EX Series firewalls and switches.  CVE-2023-36845 is an external variable modification vulnerability in J-Web and is currently assigned a CVSSv3 rating of 9.8 (Critical).   Four other medium severity vulnerabilities were also addressed in the security bulletin that may be combined with CVE-2023-36845 for remote code execution: CVE-2023-36844, CVE-2023-36846, CVE-2023-36847, and CVE-2023-36851.   Each of the CVEs were established on August 17, 2023.  While each CVE was initially assigned a medium severity rating, CVE-2023-36845 was upgraded to a severity rating of critical once Juniper became aware of the combination PoC exploit.  As of November 13, 2023 CISA added all five CVEs to their Known Exploited Vulnerability catalog.

The following Juniper Networks Junos OS on SRX Series and EX Series devices:

  *   All versions prior to 20.4R3-S9
  *   21.1 version 21.1R1 and later versions;
  *   21.2 versions prior to 21.2R3-S7;
  *   21.3 versions prior to 21.3R3-S5;
  *   21.4 versions prior to 21.4R3-S5;
  *   22.1 versions prior to 22.1R3-S4;
  *   22.2 versions prior to 22.2R3-S2;
  *   22.3 versions prior to 22.3R2-S2, 22.3R3-S1;
  *   22.4 versions prior to 22.4R2-S1, 22.4R3;
  *   23.2 versions prior to 23.2R1-S1, 23.2R2.

Patches are available from Juniper Networks to fix the vulnerabilities.  The fixed versions are:

  *   20.4R3-S9
  *   21.3R3-S5
  *   22.1R3-S4
  *   22.2R3-S2
  *   22.3R2-S2
  *   22.3R3-S1
  *   22.4R2-S1
  *   23.2R1-S1

Additionally, as of November 13, 2023, the following patches are pending publication:

  *   21.2R3-S7*
  *   21.4R3-S5*
  *   22.4R3*
  *   23.2R2*
  *   23.4R1*

Further information is available from Juniper Networks Support Portal as published in their Security Bulletin:

  *   Knowledge Base Out-of-Cycle Security Bulletin  - https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution


Intelligence: As of November 8, 2023, Juniper Networks is aware that the CVEs are used in combination and have been exploited in the wild.  It is very likely that the exploits will continue to be leveraged by threat actors over the coming months.

Workarounds:  In lieu of patching devices Juniper Networks' recommended workaround is to disable J-Web on affected devices or limit access to only trusted hosts.

How it works:  When chained, the vulnerabilities permit an unauthenticated user to upload an arbitrary file in the JunOS filesystem and then execute it.  The attack chain does not allow for OS-level code execution, instead it provides an attacker code execution within a BSD jail.  Although restricted to the BSD jail, successful exploitation could provide an opportunity for an attacker to pivot to internal networks.  Security researchers have observed exploitation attempts that upload and execute a PHP file against affected devices.

Post-Exploit: Upon successful exploitation of the vulnerabilities, an attacker could execute arbitrary code within the management interface, or pivot to gain access to internal networks.

No known indicators of compromise have been publicly shared at this time.

As of August 25, 2023, the following vulnerability plugins have been released and are currently in Tenable Security Center:
Plugin
Title
Severity
180190<https://www.tenable.com/plugins/nessus/180190>
Juniper Junos OS Pre-Auth RCE (JSA72300)
Critical

Recommended Actions:


  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Limit access to affected devices from only trusted hosts.
  *   Utilize web application firewalls to filter and monitor incoming web traffic.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services.


[cid:image001.png at 01D9F1DD.F2FA0BC0]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231113/b5724953/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20231113/b5724953/attachment-0001.png>

More information about the CDP-development mailing list