Juniper Networks Addresses Critical RCE Vulnerability in Firewalls and Switches

January 12, 2024

Juniper Networks has announced security patches to resolve a severe pre-authentication remote code execution (RCE) vulnerability that affects its SRX Series firewalls and EX Series switches. This critical security flaw, tracked as CVE-2024-21591, is located in the devices' J-Web configuration interfaces. It could be exploited by unauthorized threat actors to gain root access or initiate denial-of-service (DoS) attacks against devices that have not been patched.

The company stated in a security advisory published on Wednesday, 'This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory.' Juniper's Security Incident Response Team has found no evidence of the vulnerability being exploited in the wild.

The vulnerability affects a comprehensive list of Junos OS versions. It has been addressed in Junos OS 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases. Administrators are urged to apply the security updates immediately or upgrade JunOS to the latest release. As a minimum measure, they should disable the J-Web interface to eliminate the attack vector.

An alternative temporary solution is to limit J-Web access to trusted network hosts only until patches are deployed. According to information from the nonprofit internet security organization Shadowserver, over 8,200 Juniper devices have their J-Web interfaces exposed online, most of them being in South Korea.

In November, CISA also issued a warning about a Juniper pre-auth RCE exploit being used in the wild, which chained together four bugs tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847. These bugs affected Juniper's SRX firewalls and EX switches. This alert was issued after ShadowServer detected the first exploitation attempts on August 25, just a week after Juniper released patches and as soon as a proof-of-concept (PoC) exploit was released by watchTowr Labs.

In September, a vulnerability intelligence firm discovered thousands of Juniper devices still vulnerable to attacks using this exploit chain. On November 17, CISA added these four bugs to its Known Exploited Vulnerabilities Catalog, labeling them as 'frequent attack vectors for malicious cyber actors' with 'significant risks to the federal enterprise.' The U.S. cybersecurity agency issued the first binding operational directive (BOD) of the year last June, mandating federal agencies to secure their Internet-exposed or misconfigured networking equipment, such as Juniper firewalls and switches, within a two-week window following discovery.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.