Critical Vulnerability Affecting Juniper Devices

Published on 19 Sep 2023

Juniper Networks had released a security update to address a series of five vulnerabilities in the J-Web component of Junos OS. When chained together, these vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

Successful chained exploitation of the vulnerabilities could allow an unauthenticated attacker to remotely execute code on the vulnerable devices. These vulnerabilities are reportedly being actively exploited as part of an exploit chain.

Details of the vulnerabilities are as follows:

  • PHP Environment Variant Manipulation (CVE-2023-36844/CVE-2023-36845) - An unauthenticated attacker is able to utilise a specially crafted request to modify certain PHP environment variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
  • Missing Authentication for Critical Function (CVE-2023-36846/CVE-2023-36847/CVE-2023-36851) - An unauthenticated attacker is able to upload arbitrary files via J-Web with a specially crafted request, leading to a partial loss of file system integrity, which may allow chaining to other vulnerabilities.

The vulnerabilities affect the following versions of Junos OS on SRX (for firewalls) and EX (for switches) Series:

Juniper Networks Junos OS on SRX Series All versions prior to 20.4R3-S8
21.1 version 21.1R1 and later versions
21.2 versions prior to 21.2R3-S6
21.3 versions prior to 21.3R3-S5
21.4 versions prior to 21.4R3-S5
22.1 versions prior to 22.1R3-S3
22.2 versions prior to 22.2R3-S2
22.3 versions prior to 22.3R2-S2, 22.3R3
22.4 versions prior to 22.4R2-S1, 22.4R3
Juniper Networks Junos OS on EX Series All versions prior to 20.4R3-S8
21.1 version 21.1R1 and later versions
21.2 versions prior to 21.2R3-S6
21.3 versions prior to 21.3R3-S5
21.4 versions prior to 21.4R3-S4
22.1 versions prior to 22.1R3-S3
22.2 versions prior to 22.2R3-S1
22.3 versions prior to 22.3R2-S2, 22.3R3
22.4 versions prior to 22.4R2-S1, 22.4R3

Users and administrators of affected product versions are advised to update to the latest version immediately.

More information is available here:
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution
https://www.bleepingcomputer.com/news/security/thousands-of-juniper-devices-vulnerable-to-unauthenticated-rce-flaw/