An estimated 12,000 Juniper SRX firewalls and EX switches are weak to a fileless distant code execution flaw that attackers can exploit with out authentication.
In August, Juniper disclosed quite a few ‘PHP surroundings variant manipulation’ (CVE-2023-36844/CVE-2023-36845) and ‘Lacking Authentication for Essential Operate’ (CVE-2023-36846/CVE-2023-36847) vulnerabilities that by themselves solely had a ‘medium’ severity score of 5.3.
Nonetheless, when chained collectively, these vulnerabilities turned a crucial distant code execution flaw with a score of 9.8.
In a later technical report, watchTowr Labs launched a PoC that chained the CVE-2023-36845 and CVE-2023-36846 flaws, permitting the researchers to remotely execute code by importing two information to a weak machine.
At present, VulnCheck vulnerability researcher Jacob Baines launched one other PoC exploit that solely makes use of CVE-2023-36845, bypassing the necessity to add information whereas nonetheless attaining distant code execution.
As a part of Baines’ report, the researcher shared a free scanner on GitHub to assist determine weak deployments, exhibiting hundreds of weak gadgets uncovered on the web.
“On this weblog, we demonstrated how CVE-2023-36845, a vulnerability flagged as “Medium” severity by Juniper, can be utilized to remotely execute arbitrary code with out authentication,” explains VulnCheck’s report.
“We have turned a multi-step (however superb) exploit into an exploit that may be written utilizing a single curl command and seems to have an effect on extra (older) programs.”
The affect of the recognized safety drawback is intensive and way more extreme than its “medium” CVSS score suggests, and admins should take quick motion to remediate the scenario.
The brand new exploit
Baines says he bought an outdated Juniper SRX210 firewall for testing the exploit however discovered his machine didn’t have the do_fileUpload() performance required to add information to the machine.
This successfully broke watchTowr’s exploit chain, inflicting the researcher to see if there was one other approach to obtain distant code execution.
Baines discovered that you can bypass the necessity to add two information on the goal servers by manipulating surroundings variables.
The Juniper firewall’s Appweb internet server processes consumer HTTP requests through stdin when working a CGI script.
Exploiting this, attackers can trick the system into recognizing a pseudo “file,”/dev/fd/0, and by adjusting the PHPRC surroundings variable and the HTTP request, they’ll show delicate knowledge.
Subsequent, VulnCheck harnessed PHP’s ‘auto_prepend_file’ and ‘allow_url_include’ options to run arbitrary PHP code through the information:// protocol with out importing any information.
That stated, the severity score of CVE-2023-36845, which is 5.4, ought to now be re-evaluated to a a lot larger crucial rating resulting from its means to realize distant code execution with out every other flaws.
Influence and danger
The CVE-2023-36845 vulnerability impacts the next variations of Junos OS on EX Sequence and SRX Sequence:
- All variations earlier than 20.4R3-S8
- 21.1 model 21.1R1 and later variations
- 21.2 variations earlier than 21.2R3-S6
- 21.3 variations earlier than 21.3R3-S5
- 21.4 variations earlier than 21.4R3-S5
- 22.1 variations earlier than 22.1R3-S3
- 22.2 variations earlier than 22.2R3-S2
- 22.3 variations earlier than 22.3R2-S2, 22.3R3
- 22.4 variations earlier than 22.4R2-S1, 22.4R3
The seller launched safety updates that addressed the vulnerability on August 17, 2023. Nonetheless, the low severity score the flaw acquired did not increase alarms on the impacted customers, a lot of whom may need opted to postpone its utility.
VulnCheck’s community scans confirmed 14,951 Juniper with internet-exposed internet interfaces. From a pattern dimension of three,000 gadgets, Baines discovered that 79% had been weak to this RCE flaw.
If that share is utilized to all uncovered gadgets, we could also be 11,800 weak gadgets on the web.
Lastly, the report mentions that Shadowserver and GreyNoise have seen attackers probing Junos OS endpoints, so hackers are already exploring the chance to leverage CVE-2023-36845 in assaults.
Due to this fact, Juniper admins should apply these updates as quickly as doable, as they could possibly be used to realize preliminary entry to company networks.