PoC for no-auth RCE on Juniper firewalls released

Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit.

Junos OS vulnerabilities and fixes

Earlier this month, Juniper Networks published an out-of-cycle security bulletin notifying customers using its SRX firewalls and EX switches of vulnerabilities that, chained together, would allow attackers to remotely execute code on vulnerable appliances.

The four vulnerabilities can be grouped into two categories:

• CVE-2023-36846 and CVE-2023-36847 may allow a critical function (file upload via the J-Web UI, which is used for appliance configuration) to be exploited without previous authentication
• CVE-2023-36844 and CVE-2023-36845 may allow attackers to modify certain PHP environments variables by specifying the name of an uploaded file

Juniper urged customers to either update their appliances to a version of Junos OS that features patches for these flaws or to disable or limit access to the J-Web UI.

They also noted that the vulnerabilities had been reported to them by security researchers – there was no mention of the vulnerabilities being under active exploitation.

The situation may soon change

WatchTowr Labs researchers Aliz Hammond and Sonny have published a post about their own deep dive into the Junos OS codebase and their successful pinpointing and exploitation of those vulnerabilities.

Exploiting CVE-2023-36846 to upload an arbitrary PHP file was relatively easy but running it was more difficult. They were temporarily stymied by Verified Exec (aka veriexec), “a file-signing and verification scheme that protects the Junos operating system (OS) against unauthorized software and activity that might compromise the integrity of your device,” but they managed get around it by using binaries already on the system.

“We soon realised that we could use the PHPRC environment variable, which instructs PHP on where to locate its configuration file, usually called php.ini,” they explained.

“We can use our first bug to upload our own configuration file, and use PHPRC to point PHP at it. The PHP runtime will then duly load our file, which then contains an auto_prepend_file entry, specifying a second file, also uploaded using our first bug. This second file contains normal PHP code, which is then executed by the PHP runtime before any other code.”

Finally, they automated the whole process in a PoC exploit.

“Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation,” they noted.

They reiterated Juniper’s advice on patching/mitigating the risk of exploitation, but they have also provided possible indicators of attempted attacks. Specific error messages in PHP log files on the appliance may point to anonymous access without a valid session or attempted actions via an API endpoint without supplying authentication information, they pointed out.

UPDATE (August 29, 2023, 02:15 p.m. ET):

Shadowserver Foundation says that there are over 8200 devices with with exposed J-Web interfaces out there and that attackers have started attempting to exploit the Juniper vulnerabilities on the same day watchTowr researchers released the PoC exploit.