Publicly available proof-of-concept exploit code has been released for a series of vulnerabilities in Juniper SRX firewalls. If exploited together, these vulnerabilities can allow unauthenticated attackers to execute remote code on devices running Juniper's JunOS, provided the devices are not patched. These medium-severity bugs were disclosed by Juniper in its EX switches and SRX firewalls, and patches were released two weeks ago. The vulnerabilities were found in the PHP-based J-Web interface, which is used by administrators to manage and configure Juniper devices on their networks.
"With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities," Juniper explained. "By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices."
The security researchers at watchTowr Labs have developed and released a proof-of-concept (PoC) exploit that combines the SRX firewall vulnerabilities, specifically a missing authentication for critical function vulnerability (CVE-2023-36846) and a PHP external variable modification bug (CVE-2023-36845). They have also published a technical analysis of the vulnerabilities and the process of developing the PoC exploit.
The researchers revealed that the CVE-2023-36846 allows unauthorized uploading of a PHP file to a restricted directory using randomized names. A PHP config file is also uploaded to load the first file through auto_prepend_file in the second step. The CVE-2023-36845 bug can be exploited to manipulate HTTP-requested environment variables like PHPRC, which helps load the config file, triggering the execution of the PHP file uploaded in the first step.
Juniper has not yet released any information on active exploitation of these security flaws. However, watchTowr Labs anticipates that attackers will soon begin targeting unpatched Juniper devices in widespread attacks. Administrators are advised to apply Juniper's patches or upgrade JunOS to the latest release, or at the very least, implement the mitigation measures suggested by the vendor as soon as possible.
"Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation," the researchers warned. "Those running an affected device are urged to update to a patched version at their earliest opportunity, and/or to disable access to the J-Web interface if at all possible."
In June, the Cybersecurity and Infrastructure Security Agency (CISA) issued this year's first binding operational directive (BOD) instructing U.S. federal agencies to secure Internet-exposed or misconfigured networking equipment such as Juniper's firewall and switch devices within two weeks of discovery.