Pierluigi Paganini August 28, 2023

Researchers published a PoC exploit code for Juniper SRX firewall flaws that can be chained to gain RCE in Juniper’s JunOS.

watchTowr Labs security researchers published a proof-of-concept exploit (PoC) exploit code for vulnerabilities in Juniper SRX firewalls. An unauthenticated attacker can chain the vulnerabilities to gain remote code execution in Juniper JunOS on vulnerable devices.

In mid-August, Juniper addressed four medium-severity (CVSS 5.3) vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) impacting EX switches and SRX firewalls.

The vulnerabilities reside in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series.

“Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability.” reads the advisory published by Juniper. “By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices.”

The company also suggests disabling J-Web, or limiting access to only trusted hosts, as a workaround for this flaw.

watchTowr Labs security researchers exploited a pre-authentication upload vulnerability (CVE-2023-36846) to upload an arbitrary PHP file to a restricted directory with a randomised file name. Then they exploited the same vulnerable function to upload a PHP configuration file (.ini) which points to and loads the above PHP file using the auto_prepend_file directive.

As all environment variables can be set via HTTP requests, the researchers exploited the CVE-2023-36845 to overwrite the environment variable PHPRC and load the PHP configuration file and trigger the execution of the PHP file initially uploaded.

watchTowr also published a deep dive into reproducing, chaining and exploiting these vulnerabilities.

“This is an interesting bug chain, utilising two bugs that would be near-useless in isolation and combining them for a ‘world ending’ unauthenticated RCE.” explained the researchers.

The public availability of PoC exploit for these vulnerabilities can allow threat actors to carry out attacks against Juniper appliances. The researchers warn of an imminent large-scale exploitation of the above issues.

“Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation.” continues the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)