Multiple Vulnerabilities in Juniper Networks Junos OS

Critical out-of-band security updates highlight five vulnerabilities that can be chained to achieve pre-authentication remote code execution

Threat ID:: CC-4368
Threat Severity:: Medium
Published:: 21 August 2023 4:23 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Critical out-of-band security updates highlight five vulnerabilities that can be chained to achieve pre-authentication remote code execution

Affected platforms

The following platforms are known to be affected:

Juniper Networks Junos OS

Junos OS on SRX Series:

All versions prior to 20.4R3-S8
21.2 versions prior to 21.2R3-S6
21.3 versions prior to 21.3R3-S5
21.4 versions prior to 21.4R3-S5
22.1 versions prior to 22.1R3-S3
22.2 versions prior to 22.2R3-S2
22.3 versions prior to 22.3R2-S2, 22.3R3
22.4 versions prior to 22.4R2-S1, 22.4R3

Junos OS on EX Series:

All versions prior to 20.4R3-S8
21.2 versions prior to 21.2R3-S6
21.3 versions prior to 21.3R3-S5
21.4 versions prior to 21.4R3-S4
22.1 versions prior to 22.1R3-S3
22.2 versions prior to 22.2R3-S1
22.3 versions prior to 22.3R2-S2, 22.3R3
22.4 versions prior to 22.4R2-S1, 22.4R3

Threat details

Introduction

Juniper Networks has issued a security bulletin addressing five vulnerabilities in Junos OS, each with a CVSSv3 score of 5.3. These vulnerabilities can be chained together to allow an unauthenticated attacker to perform remote code execution on an affected system. When chained together these combined vulnerabilities have been assigned a CVSSv3 score of 9.8.

Proof-of-Concept published for CVE-2023-36845 and vulnerability chain

A proof-of-concept has been published that chains together the four vulnerabilities in this cyber alert. A separate proof-of-concept has also been published for CVE-2023-36845 alone. Exploitation is more likely.

Exploitation of CVE-2023-36846

Juniper Networks have stated that the vulnerability CVE-2023-36846 is being actively exploited in the wild.

Exploitation of CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851

Juniper SIRT is aware of successful malicious exploitation of CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851

Threat updates

Date	Update
14 Nov 2023	Exploitation of CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 and CVE-2023-36851 This article has been updated to reflect this change.
14 Nov 2023	CVE-2023-36851 added to the chain of exploit This article has been updated to reflect this change.
31 Oct 2023	Exploitation of CVE-2023-36846 This article has been updated to reflect this change.
19 Sep 2023	Proof-of-concept published for CVE-2023-36845 This article has been updated to reflect this change.
29 Aug 2023	Proof-of-concept published for vulnerability chain This article has been updated to reflect this change.

Remediation advice

Affected organisations are encouraged to review the Juniper Networks security bulletin and apply the relevant updates.

Definitive source of threat updates

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

CVE Vulnerabilities

Status Published

CVE-2023-36844

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.

Status Published

CVE-2023-36845

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities.

Status Published

CVE-2023-36846

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.

Status Published

CVE-2023-36847

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.

Status Published

CVE-2023-36851

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R2

Last edited: 14 November 2023 12:10 pm