Approximately 12,000 Juniper SRX firewalls and EX switches are exposed to an unauthenticated, fileless remote code execution flaw. Juniper disclosed several vulnerabilities in August, including 'PHP environment variant manipulation' (CVE-2023-36844/CVE-2023-36845) and 'Missing Authentication for Critical Function' (CVE-2023-36846/CVE-2023-36847). While these vulnerabilities were individually rated as 'medium' severity (5.3), their combined effect resulted in a critical remote code execution flaw with a rating of 9.8.
A proof of concept (PoC) was later released by watchTowr Labs, which chained the CVE-2023-36845 and CVE-2023-36846 flaws, allowing code to be remotely executed by uploading two files to a vulnerable device. Recently, another PoC was released by vulnerability researcher Jacob Baines, which only uses CVE-2023-36845, thus eliminating the need to upload files while still achieving remote code execution. To help identify vulnerable deployments, Baines shared a free scanner on GitHub, revealing thousands of vulnerable devices exposed on the internet.
The report by Baines demonstrated how CVE-2023-36845, a vulnerability flagged as 'Medium' severity by Juniper, could be used to remotely execute arbitrary code without authentication. The researcher managed to turn a multi-step exploit into an exploit that can be written using a single curl command and appears to affect more (older) systems. The identified security issue has a far-reaching and severe impact, suggesting that its 'medium' CVSS rating is misleading. Therefore, administrators must take immediate action to address the situation.
During testing, Baines discovered a way to bypass the need to upload two files on the target servers by manipulating environment variables. This was achieved by tricking the system into recognizing a pseudo 'file,'/dev/fd/0, and by adjusting the PHPRC environment variable and the HTTP request, sensitive data could be displayed. Next, the use of PHP's 'auto_prepend_file' and 'allow_url_include' features enabled the running of arbitrary PHP code via the data:// protocol without uploading any files.
The vulnerability, CVE-2023-36845, impacts several versions of Junos OS on EX Series and SRX Series. Although security updates addressing the vulnerability were released on August 17, 2023, the low severity rating may have led to many users postponing its application. Network scans showed 14,951 Juniper devices with internet-exposed web interfaces. From a sample size of 3,000 devices, 79% were found to be vulnerable to this RCE flaw. Extrapolating this percentage to all exposed devices suggests that around 11,800 devices on the internet are vulnerable.
The report also noted that Shadowserver and GreyNoise have observed attackers probing Junos OS endpoints. This indicates that hackers are already looking to exploit CVE-2023-36845 in attacks. Therefore, Juniper administrators must apply these updates as soon as possible, as they could be used to gain initial access to corporate networks.