Juniper Networks fixes flaws leading to RCE in firewalls and switches

Juniper Networks has fixed four vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) in Junos OS that, if chained together, could allow attackers to achieve remote code execution (RCE) on the company’s SRX firewalls and EX switches.

The fixed Junos OS vulnerabilities

Junos OS is an operating system based on Linux and FreeBSD that runs on Juniper Networks firewalls, network switches and other security devices. The affected component – J-Web – is the graphical user interface (GUI) used to manage devices running Junos.

CVE-2023-36844 and CVE-2023-36845 are PHP external variable modification vulnerabilities in J-Web of Juniper Networks Junos OS on EX Series and SRX Series that could allow an unauthenticated, network-based threat actor to control certain important environments variables.

CVE-2023-36846 and CVE-2023-36847 denote missing authentication for a critical function in Juniper Networks Junos OS on EX Series and SRX Series that could allow an unauthenticated, network-based threat actor to cause limited impact to the file system integrity.

“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” Juniper noted.

This is why the vulnerabilities have a 5.3 CVSS score separately, but when combined they become critical (CVSS 9.8). This also means that only one vulnerability needs to be patched per platform to prevent remote code execution.

These vulnerabilities were discovered by external security researchers.

Update or mitigate

Vulnerabilities in security and networking devices are often exploited by attackers to gain initial access to a target company’s network.

The company has resolved these security issues by releasing the following Junos OS versions:

• SRX Series – 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, 23.2R1, and all subsequent releases
• EX Series – 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, 23.2R1, and all subsequent releases

Users are recommended to update their Juniper Networks firewalls and switches as soon as possible. Alternatively, they can mitigate the risk of exploitation by disabling J-Web or by limiting access to trusted hosts only.

UPDATE (August 29, 2023, 02:25 p.m. ET):

After watchTowr researchers released a PoC exploit on August 25, the Shadowserver Foundation started noticing exploitation attempts.