The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities catalog with the addition of six new vulnerabilities. Five of these vulnerabilities impact Juniper's Junos OS, while the sixth affects SysAid's IT support software.
Juniper's Security Incident Response Team (SIRT) has confirmed that attackers are exploiting these vulnerabilities, which can be combined to enable pre-authentication Remote Code Execution. The company issued an update on November 8th, 2023, urging customers to upgrade their systems immediately. "Juniper SIRT is now aware of successful exploitation of these vulnerabilities. Customers are urged to immediately upgrade," the company stated in the update.
Under the Binding Operational Directive (BOD) 22-01, federal agencies are required to address these vulnerabilities by the specified due dates to safeguard their networks against potential attacks. Private organizations are also advised to review the Catalog and address any vulnerabilities in their infrastructure. CISA has set a deadline of November 17, 2023, for federal agencies to fix these vulnerabilities, while the SysAid Server Path Traversal Vulnerability must be addressed by December 4, 2023.
In mid-August, Juniper addressed four medium-severity vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) in its Junos OS. These vulnerabilities, which reside in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series, have been resolved through specific fixes. "Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability," Juniper stated in an advisory.
An unauthenticated, network-based attacker can chain these vulnerabilities to remotely execute code on the devices. Juniper suggests disabling J-Web, or limiting access to only trusted hosts, as a workaround for this flaw.
In late August, security researchers at watchTowr Labs published a proof-of-concept exploit (PoC) code for vulnerabilities in Juniper SRX firewalls. The vulnerabilities allow an unauthenticated attacker to gain remote code execution in Juniper JunOS on vulnerable devices. "Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation," the researchers explained.
In mid-September, researchers discovered approximately 12,000 internet-exposed Juniper SRX firewalls and EX switches that are vulnerable to the recently disclosed remote code execution flaw CVE-2023-36845. A new exploit for this flaw enables an unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system. This exploit impacts older versions and can be written using a single cURL command.
According to the cybersecurity firm, approximately 80% of affected internet-facing firewalls remain unpatched. A vulnerability scanner was developed to identify firewalls vulnerable to CVE-2023-36845. Using Shodan, the experts discovered approximately 15,000 Juniper devices with internet-facing web interfaces. "Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for C2 infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise," the experts concluded.