watchTowr Labs researchers have published a PoC exploit for vulnerabilities in Juniper SRX firewalls that allows RCE to be implemented in JunOS.
In mid-August Juniper fixed CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 Moderate Severity (CVSS 5.3) affecting the J-Web component of the Juniper Networks Junos OS on the SRX and EX series .
In addition to the fix, the company also suggested disabling J-Web or limiting access to trusted hosts as a workaround.
However, by combining the vulnerabilities, an unauthenticated network attacker could be able to remotely execute code in JunOS on vulnerable devices.
watchTowr Labs researchers exploited a pre-authentication upload vulnerability (CVE-2023-36846) to deliver an arbitrary PHP file to a restricted directory with a random filename.
They then exploited the same vulnerable function to load a PHP configuration file that uses the above file and load it using the auto_prepend_file directive.
Because all environment variables can be set using HTTP requests, the researchers used CVE-2023-36845 to override the environment variable, PHPRC to load the PHP configuration file, and execute the originally loaded PHP file.
In addition, the watchTowr researchers also provided a detailed step-by-step description of the process of replicating, combining, and exploiting these vulnerabilities.
Given the public availability of PoC, ease of use, and the privileged position that JunOS devices occupy on the network, watchTowr warns of the imminent widespread exploitation of the aforementioned issues.
Exploit: https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
In mid-August Juniper fixed CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 Moderate Severity (CVSS 5.3) affecting the J-Web component of the Juniper Networks Junos OS on the SRX and EX series .
In addition to the fix, the company also suggested disabling J-Web or limiting access to trusted hosts as a workaround.
However, by combining the vulnerabilities, an unauthenticated network attacker could be able to remotely execute code in JunOS on vulnerable devices.
watchTowr Labs researchers exploited a pre-authentication upload vulnerability (CVE-2023-36846) to deliver an arbitrary PHP file to a restricted directory with a random filename.
They then exploited the same vulnerable function to load a PHP configuration file that uses the above file and load it using the auto_prepend_file directive.
Because all environment variables can be set using HTTP requests, the researchers used CVE-2023-36845 to override the environment variable, PHPRC to load the PHP configuration file, and execute the originally loaded PHP file.
In addition, the watchTowr researchers also provided a detailed step-by-step description of the process of replicating, combining, and exploiting these vulnerabilities.
Given the public availability of PoC, ease of use, and the privileged position that JunOS devices occupy on the network, watchTowr warns of the imminent widespread exploitation of the aforementioned issues.
Exploit: https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
