Get a demo
Voyager18 (research)

Fixing CVE-2023-36844, CVE-2023-36846 & CVE-2023-36847 in Juniper Networks

Juniper Networks has addressed CVE-2023-36844, CVE-2023-36846, & CVE-2023-36847. affecting Junos OS on SRX and EX Series devices. Here's everything you need to know.

Orani Amroussi | September 04, 2023

On August 17, 2023, Juniper Networks released an urgent advisory detailing four distinct vulnerabilities (CVEs) impacting Junos OS operating on SRX and EX Series devices. In November, 2023, CISA issued a warning to federal agencies about these same vulnerabilities. Here’s everything you need to know about CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847:

What are CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847?

CVE-2023-36846

Primarily affecting the SRX Series, this vulnerability stems from a missing authentication for a critical function in the Junos OS. This gap allows potential attackers, without authentication, to upload arbitrary files via J-Web, impacting the file system’s integrity and possibly paving the way for other vulnerabilities.

CVE-2023-36844

This vulnerability is prevalent in the EX Series, where a PHP External Variable Modification vulnerability exists in the J-Web component. An attacker can exploit this to control certain crucial environment variables, altering specific PHP environment variables using a crafted request, leading to a partial loss of integrity and possibly initiating other vulnerabilities.

CVE-2023-36847

Similar to CVE-2023-36846, this vulnerability affects the EX Series and involves missing authentication for a critical function. This can lead to limited file system integrity impacts, as attackers can upload arbitrary files via J-Web, potentially leading to further vulnerabilities.

On November 13 2023, CISA issued a warning to federal agencies, urging them to fortify Juniper devices within their networks by Friday. This advisory comes in response to the active exploitation of four vulnerabilities, which are being used in remote code execution (RCE) attacks as components of a pre-authentication exploit chain.

Do they affect me?

If you are utilizing Juniper Networks Junos OS, especially on SRX and EX Series devices, these vulnerabilities may indeed affect you. These vulnerabilities can compromise the J-Web component, which listens on the default ports 80 and 443 of the management interface. Notably, these vulnerabilities could potentially grant attackers an opportunity to pivot to internal networks of organizations, despite existing platform mitigations. Given the wide deployment of Juniper software and the considerable number of devices exposed to the internet, understanding and addressing these vulnerabilities should be a priority.

Have CVE-2023-36844, CVE-2023-36846, or CVE-2023-36847 been actively exploited in the wild?

Yes, there have been active exploits reported in the wild. Notably, the security organization Shadowserver noted attempts to exploit “CVE-2023-36844 and friends” since August 25. Moreover, a public proof of concept and a detailed write-up from watchTowr illustrated how attackers could execute arbitrary PHP code within a limited environment (BSD jail) through these vulnerabilities.

 

mitre

 

Fixing CVE-2023-36844

Addressing these vulnerabilities should be a top priority for organizations utilizing affected Juniper Network devices. Firstly, refer to the detailed guidelines provided in the Juniper Networks advisory for comprehensive mitigation guidance.

Here are the primary steps you should take:

  • Patch Your Devices: Organizations should promptly update their devices to the recommended versions as listed in the advisory to patch the vulnerabilities.
  • Disable J-Web: If applying the patch is not immediately possible, it is recommended to disable the J-Web component or restrict its access to trusted hosts only to prevent potential exploits.
  • Regular Monitoring and Updates: Always keep a close eye on any developments and updates regarding these vulnerabilities and apply subsequent patches or solutions as they become available.

By taking these steps, you can significantly reduce the risk of falling victim to these vulnerabilities and maintain a secure and robust network infrastructure.

Next steps

Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. Announcing the Attack Path Graph for end-to-end risk prioritization
  2. Can you trust ChatGPT’s package recommendations?
  3. MITRE ATTACK framework – Mapping techniques to CVEs  
  4. Exploit maturity: an introduction  
  5. IBM’s Cost of a Data Breach report 2023 – what we learned

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management