overview

This week, 12,000 Juniper SRX firewalls and EX switches were found to be vulnerable to a remote code execution flaw tracked as CVE-2023-36845. This vulnerability can be exploited by unauthenticated and remote attackers to execute arbitrary code on Juniper firewalls, all without the need to create any files on the system.  

CVE-2023-36845 has been categorized as a medium-severity vulnerability with a CVSS score of 5.3. It primarily impacts the J-Web component of Junos OS. Successful exploitation of the flaw could grant an attacker control over essential environment variables. Juniper Networks has addressed the issue with an out-of-cycle update, also covering CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847.  

Also, a proof-of-concept (PoC) exploit has been developed, chaining CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode, ultimately achieving code execution. What makes this exploit particularly concerning is its ability to affect older systems with just a single cURL command, relying solely on CVE-2023-36845. Chained together, both vulnerabilities have a CVSS score of 9.8.  

This attack method involves manipulating the standard input stream (stdin) to set the PHPRC environment variable to "/dev/fd/0" through a specially crafted HTTP request. This transforms "/dev/fd/0" into a makeshift file, allowing sensitive information to be leaked. Next, arbitrary code execution is achieved by leveraging PHP's auto_prepend_file and allow_url_include options in combination with the data:// protocol wrapper. 

Remember that firewalls are attractive targets for APTs and can serve as gateways into protected hosts for command-and-control infrastructure. Although Juniper is not currently aware of any successful exploits, it’s still highly recommended that all customers apply the appropriate patches as soon as possible.  

 

 

avertium's recommendationS

  • Verify whether your Juniper firewall is vulnerable to CVE-2023-36845. 
  • Apply the necessary security patches and updates provided by Juniper Networks. 
  • Monitor your firewall for any signs of compromise. 

 

 

INDICATORS OF COMPROMISE (IoCs)

At this time, there are no known IoCs associated with CVE-2023-36845. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   

 

 

How Avertium is Protecting Our CUSTOMERS

  •  Fusion MXDR for Microsoft combines Avertium's Fusion MXDR approach with Microsoft Security Solutions, creating the first MDR offering that integrates all aspects of security operations into an active and threat-informed XDR solution. Leveraging Microsoft's comprehensive and cost-effective technology, Fusion MXDR for Microsoft delivers a release of cyber energy, encompassing implementation, optimization, ongoing management, and tuning. 
  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  







SUPPORTING DOCUMENTATION

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution (juniper.net) 

Thousands of Juniper devices vulnerable to unauthenticated RCE flaw (bleepingcomputer.com) 

Nearly 12,000 Juniper Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability (thehackernews.com) 
Chat With One of Our Experts



RCE Remote Code Execution (RCE) vulnerabilities Remote Code Execution vulnerabilities Flash Notice RCE Flaw Juniper Firewall Blog