The Cybersecurity and Infrastructure Security Agency (CISA) has mandated US federal agencies to promptly address five vulnerabilities being exploited to compromise Juniper networking devices. These vulnerabilities, although not severe individually, have been combined by attackers to enable remote code execution on exposed devices.
In late August 2023, Juniper Networks rectified four security flaws (CVE-2023-36844 to CVE-2023-36847) in the J-Web GUI of Junos OS-powered devices. The company recommended customers update their SRX firewalls and EX switches to address these vulnerabilities. However, following the publication of technical details and a proof-of-concept (PoC) exploit by WatchTowr Labs researchers, there was an increase in attempts to exploit these vulnerabilities.
Subsequently, a new variant of the SRX upload vulnerability (CVE-2023-36851), along with an exploit for the code execution vulnerability (CVE-2023-36845) that operates without prior file upload, was disclosed by external researchers. This led Juniper to emphasize the criticality of mitigating code execution capabilities, noting that doing so would significantly reduce the impact of the other issues.
The urgency of addressing these vulnerabilities escalated last week when Juniper confirmed the successful exploitation of these vulnerabilities. While specific details of the attacks were not disclosed, Juniper advised customers to either upgrade their devices, disable the J-Web GUI, or restrict its access exclusively to trusted hosts.
CISA has included these five vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, setting an exceptional but necessary deadline of November 17 for federal agencies to implement patches. This accelerated timeline is a response to the public availability of a PoC exploit for months.
Additionally, CISA added CVE-2023-47246, a vulnerability associated with the SysAid Server and exploited by Cl0p affiliates, to the KEV catalog on the same day. The deadline for addressing this vulnerability is slightly more extended.
While the KEV catalog is primarily intended for US federal agencies, CISA advises all organizations to utilize it for prioritizing critical vulnerabilities for patching.