On August 17, 2023, Juniper Networks released an urgent advisory detailing four distinct vulnerabilities (CVEs) impacting Junos OS operating on SRX and EX Series devices. In November, 2023, CISA issued a warning to federal agencies about these same vulnerabilities. Here’s everything you need to know about CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847:
What are CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847?
CVE-2023-36846
Primarily affecting the SRX Series, this vulnerability stems from a missing authentication for a critical function in the Junos OS. This gap allows potential attackers, without authentication, to upload arbitrary files via J-Web, impacting the file system’s integrity and possibly paving the way for other vulnerabilities.
CVE-2023-36844
This vulnerability is prevalent in the EX Series, where a PHP External Variable Modification vulnerability exists in the J-Web component. An attacker can exploit this to control certain crucial environment variables, altering specific PHP environment variables using a crafted request, leading to a partial loss of integrity and possibly initiating other vulnerabilities.
CVE-2023-36847
Similar to CVE-2023-36846, this vulnerability affects the EX Series and involves missing authentication for a critical function. This can lead to limited file system integrity impacts, as attackers can upload arbitrary files via J-Web, potentially leading to further vulnerabilities.
On November 13 2023, CISA issued a warning to federal agencies, urging them to fortify Juniper devices within their networks by Friday. This advisory comes in response to the active exploitation of four vulnerabilities, which are being used in remote code execution (RCE) attacks as components of a pre-authentication exploit chain.
Do they affect me?
If you are utilizing Juniper Networks Junos OS, especially on SRX and EX Series devices, these vulnerabilities may indeed affect you. These vulnerabilities can compromise the J-Web component, which listens on the default ports 80 and 443 of the management interface. Notably, these vulnerabilities could potentially grant attackers an opportunity to pivot to internal networks of organizations, despite existing platform mitigations. Given the wide deployment of Juniper software and the considerable number of devices exposed to the internet, understanding and addressing these vulnerabilities should be a priority.
Have CVE-2023-36844, CVE-2023-36846, or CVE-2023-36847 been actively exploited in the wild?
Yes, there have been active exploits reported in the wild. Notably, the security organization Shadowserver noted attempts to exploit “CVE-2023-36844 and friends” since August 25. Moreover, a public proof of concept and a detailed write-up from watchTowr illustrated how attackers could execute arbitrary PHP code within a limited environment (BSD jail) through these vulnerabilities.
Fixing CVE-2023-36844
Addressing these vulnerabilities should be a top priority for organizations utilizing affected Juniper Network devices. Firstly, refer to the detailed guidelines provided in the Juniper Networks advisory for comprehensive mitigation guidance.
Here are the primary steps you should take:
- Patch Your Devices: Organizations should promptly update their devices to the recommended versions as listed in the advisory to patch the vulnerabilities.
- Disable J-Web: If applying the patch is not immediately possible, it is recommended to disable the J-Web component or restrict its access to trusted hosts only to prevent potential exploits.
- Regular Monitoring and Updates: Always keep a close eye on any developments and updates regarding these vulnerabilities and apply subsequent patches or solutions as they become available.
By taking these steps, you can significantly reduce the risk of falling victim to these vulnerabilities and maintain a secure and robust network infrastructure.
Next steps
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
