In recent developments, it has come to light that approximately 12,000 Juniper SRX firewalls and EX switches are exposed to a fileless remote code execution vulnerability. This alarming security issue allows malicious actors to exploit the flaw without requiring any form of authentication, posing a severe threat to affected systems.
Back in August, Juniper Networks disclosed two distinct vulnerabilities: ‘PHP environment variant manipulation’ (CVE-2023-36844/CVE-2023-36845) and ‘Missing Authentication for Critical Function’ (CVE-2023-36846/CVE-2023-36847). At the time, these vulnerabilities were individually categorized as having a ‘medium’ severity rating, with a score of 5.3 on the CVSS scale. However, a significant twist emerged when these vulnerabilities were exploited in tandem, elevating the threat to a critical remote code execution flaw with a daunting rating of 9.8.
Adding fuel to the fire, a subsequent technical report released by watchTower Labs demonstrated a Proof of Concept (PoC) that chained CVE-2023-36845 and CVE-2023-36846 together. This PoC allowed researchers to execute code remotely by uploading two files to a vulnerable device.
Recently, VulnCheck vulnerability researcher Jacob Baines unveiled another PoC exploit, which relies solely on CVE-2023-36845. What sets this apart is its capability to achieve remote code execution without the need to upload files. As part of his report, Baines also generously shared a free scanner on GitHub to help identify vulnerable deployments, revealing thousands of exposed devices on the internet.
The true impact of this security problem extends far beyond its initially assigned “medium” CVSS rating. Administrators must recognize the dire consequences and take immediate action to mitigate the risk.
The New Exploit
In an attempt to test the exploit, Jacob Baines procured an older Juniper SRX210 firewall. To his surprise, this device lacked the necessary functionality to execute the do_fileUpload() function required to upload files to the device. This setback disrupted watchTower’s exploit chain, compelling Baines to explore alternative methods to achieve remote code execution.
Baines uncovered that it was possible to bypass the requirement of uploading files by manipulating environment variables. The Juniper firewall’s Appweb web server processes HTTP requests through stdin when running a CGI script. Malicious actors can leverage this to deceive the system into recognizing a pseudo “file,” specifically ‘/dev/fd/0.’ By adjusting the PHPRC environment variable and the HTTP request, sensitive data can be exposed.
Furthermore, VulnCheck harnessed PHP’s ‘auto_prepend_file’ and ‘allow_url_include’ features to execute arbitrary PHP code through the data:// protocol, all without uploading any files. Consequently, CVE-2023-36845, initially rated at 5.4 in terms of severity, should now be reassessed with a much higher critical score due to its capacity to achieve remote code execution in isolation.
Impact and Risk
The CVE-2023-36845 vulnerability impacts several versions of Junos OS on EX Series and SRX Series devices:
- All versions before 20.4R3-S8
- 21.1 version 21.1R1 and later versions
- 21.2 versions before 21.2R3-S6
- 21.3 versions before 21.3R3-S5
- 21.4 versions before 21.4R3-S5
- 22.1 versions before 22.1R3-S3
- 22.2 versions before 22.2R3-S2
- 22.3 versions before 22.3R2-S2, 22.3R3
- 22.4 versions before 22.4R2-S1, 22.4R3
The vendor released security updates to address this vulnerability on August 17, 2023. However, the initial low severity rating might have led some users to postpone applying the necessary updates. VulnCheck’s network scans revealed 14,951 Juniper devices with internet-exposed web interfaces. From a sample size of 3,000 devices, Baines discovered that a staggering 79% were vulnerable to this remote code execution flaw. Extrapolating these figures to all exposed devices suggests that approximately 11,800 devices remain vulnerable on the internet.
Additionally, reports indicate that both Shadowserver and GreyNoise have detected probing attempts on Junos OS endpoints by potential attackers. This highlights the urgent need for Juniper administrators to apply these updates promptly, as failure to do so could grant malicious actors initial access to corporate networks.
In conclusion, the critical remote code execution vulnerabilities affecting Juniper SRX firewalls and EX switches should not be underestimated. Urgent action is imperative to secure these devices and protect the integrity of corporate networks in the face of an increasingly dangerous threat landscape.