Juniper Networks Addresses Critical RCE Vulnerability in Firewalls and Switches

January 12, 2024

Juniper Networks has announced security patches to resolve a severe pre-authentication remote code execution (RCE) vulnerability that affects its SRX Series firewalls and EX Series switches. This critical security flaw, tracked as CVE-2024-21591, is located in the devices' J-Web configuration interfaces. It could be exploited by unauthorized threat actors to gain root access or initiate denial-of-service (DoS) attacks against devices that have not been patched.

The company stated in a security advisory published on Wednesday, 'This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory.' Juniper's Security Incident Response Team has found no evidence of the vulnerability being exploited in the wild.

The vulnerability affects a comprehensive list of Junos OS versions. It has been addressed in Junos OS 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases. Administrators are urged to apply the security updates immediately or upgrade JunOS to the latest release. As a minimum measure, they should disable the J-Web interface to eliminate the attack vector.

An alternative temporary solution is to limit J-Web access to trusted network hosts only until patches are deployed. According to information from the nonprofit internet security organization Shadowserver, over 8,200 Juniper devices have their J-Web interfaces exposed online, most of them being in South Korea.

In November, CISA also issued a warning about a Juniper pre-auth RCE exploit being used in the wild, which chained together four bugs tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847. These bugs affected Juniper's SRX firewalls and EX switches. This alert was issued after ShadowServer detected the first exploitation attempts on August 25, just a week after Juniper released patches and as soon as a proof-of-concept (PoC) exploit was released by watchTowr Labs.

In September, a vulnerability intelligence firm discovered thousands of Juniper devices still vulnerable to attacks using this exploit chain. On November 17, CISA added these four bugs to its Known Exploited Vulnerabilities Catalog, labeling them as 'frequent attack vectors for malicious cyber actors' with 'significant risks to the federal enterprise.' The U.S. cybersecurity agency issued the first binding operational directive (BOD) of the year last June, mandating federal agencies to secure their Internet-exposed or misconfigured networking equipment, such as Juniper firewalls and switches, within a two-week window following discovery.

Related News

• CISA Adds Five Juniper Vulnerabilities to Known Exploited Vulnerabilities Catalog
• Critical Remote Code Execution Flaw Discovered in Thousands of Juniper Devices
• Juniper Firewall Vulnerabilities: Exploit Code Released for Remote Code Execution Attacks
• Juniper Networks Patches Critical Flaws in Switches and Firewalls

Latest News

• CISA Warns of Active Exploitation of Critical Microsoft SharePoint Vulnerability
• Microsoft Releases PowerShell Script to Update WinRE and Patch BitLocker Vulnerability
• Critical Vulnerability in Cisco's Unity Connection Software Patched
• Chinese Cyber Actors Exploit Ivanti Connect Secure and Policy Secure Zero-Day Vulnerabilities
• CISA Issues Warning Over Six Actively Exploited Vulnerabilities