Article Details

Thousands of Juniper Junos firewalls still open to hijacks, exploit code available to all. Unauthenticated and remote code execution possible without dropping a file on disk. About 79 percent of public-facing Juniper SRX firewalls remain vulnerable to a single security flaw can allow an unauthenticated attacker to remotely execute code on the devices, according to threat intelligence platform provider VulnCheck. Juniper revealed and addressed five flaws, which affect all versions of Junos OS on SRX firewalls and EX Series switches, in an out-of-cycle security bulletin on August 17. The networking and security company updated the advisory on September 7, after security researchers published a proof-of-concept (PoC) exploit, and Juniper detected exploit attempts. Two of the flaws are PHP external variable modification vulnerabilities (CVE-2023-36844 and CVE-2023-36845). The other three are described as “Missing Authentication for Critical Function vulnerability” (CVE-2023-36846, CVE-2023-36847, and CVE-2023-36851). We achieved unauthenticated and remote code execution without dropping a file on disk It's unclear why Juniper chose to enumerate five CVEs instead of two. The org’s descriptions for the two PHP external variable modification bugs are identical, as are the trio of missing authentication for critical function vulnerabilities. The bugs are all rated 5.3 on the ten—point CVSS severity rating scale. But because they can be combined to achieve remote code execution (RCE) the series of security flaws together earned a critical 9.8 CVSS score. On August 25, bug hunters at vulnerability scanning service provider watchTowr published a multi-step proof of concept exploit for two of the bugs, CVE-2023-36845 and CVE-2023-36846, that allowed unauthenticated remote code execution by uploading two files. It gets worse: VulnCheck on Monday published analysis in which its CTO Jacob Baines wrote that CVE-2023-36845 alone can achieve remote, unauthenticated code execution. Here's how Juniper describes CVE-2023-36845: A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities. Juniper did not respond to The Register's inquiries about the new RCE exploit, the confusing CVE descriptions, or the number of still-vulnerable devices. For VulnCheck's exploit, Baines abused stdin to point the PHPRC environment variable at config data of his choosing within a HTTP request without having to upload a separate file. Here's how Baines explained the first part of the exploit: The affected firewalls run FreeBSD, and every FreeBSD process can access their stdin by opening /dev/fd/0. By sending an HTTP request, we're able to introduce a "file", /dev/fd/0, to the system. Using that trick, we can set the PHPRC environment variable to /dev/fd/0 and include the desired php.ini in our HTTP request. For the second part of the attack, Baines used two PHP features. First, auto_prepend_file, which he explains "causes the provided file to be added using the require function." He paired that with allow_url_include, which "allows the use of URL-aware fopen wrappers with the following functions: include, include_once, require, require_once." "Just like that, by only using CVE-2023-36845, we've achieved unauthenticated and remote code execution without actually dropping a file on disk," Baines wrote. "Our private exploit establishes a reverse shell, but that's quite trivial once you've reached this point." VulnCheck has also released a free scanning tool to identify firewalls vulnerable to CVE-2023-36845. Despite the flaws in Juniper’s kit being known, and shown to be a real threat, VulnCheck believes the majority of affected internet-facing firewalls — about 15,000 devices — still aren't patched. If your devices remain vulnerable, patch them ASAP.