Attackers Actively Attempting to Chain Vulnerabilities for Remote Code Execution
Security experts are warning organizations with Juniper Networks devices to update them immediately to patch a collection of bugs attackers have been attempting to exploit.
Juniper on Aug. 17 issued an out-of-band security alert warning that multiple vulnerabilities exist in the Juniper Web Device Manager – or J-Web – graphic user interface, which is enabled by default on ports 80 and 443.
“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” Juniper said.
All prior, supported versions of the Juno operating system running on both SRX series firewalls and EX series switches appear to have the vulnerabilities.
The company has released a number of Juno OS updates that patch the flaws.
Juniper’s security incident response team said Wednesday while it “is not aware of a successful exploit against a customer, a proof of concept has been published and exploit attempts have been detected.”
Numerous organizations are likely at risk from attack attempts. “Juniper software is widely deployed, and Shodan shows around 10,000 devices facing the internet, although we can’t say with certainty how many are vulnerable,” security firm Rapid7 reported.
“While the issue is on the management interface, these devices tend to have privileged access to corporate networks,” Rapid7 said. “Successful exploitation would likely provide an opportunity for attackers to pivot to organizations’ internal networks.”
The flaws include PHP External variable modification vulnerabilities in J-Web – designated – CVE-2023-36844 in EX devices and CVE-2023-36845 in SRX devices.
The other vulnerability – designated CVE-2023-36846 in SRX devices and CVE-2023-36847 in EX devices – involves missing authentication. This allows “an unauthenticated, network-based attacker to cause limited impact to the file system integrity,” Juniper said. “With a specific request that doesn’t require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.”
Singapore-based red-teaming firm watchTowr on Aug. 25 released proof-of-concept code for exploiting the vulnerabilities, noting it only required about 30 minutes of effort to develop.
In general, security hardware operating systems are designed to “make executing an arbitrary binary difficult,” Rapid7 said. But the watchTowr POC details “how to execute arbitrary PHP code in the context of the root user,” and seems to be able to escape a BSD jail designed to defend against such attacks.
The Shadowserver Foundation, which scans the internet to identify and track malicious activity, said that since Aug. 25 it’s been “seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 and friends.”
As of Wednesday, Shadowserver reported seeing more than 8,200 IP addresses with an exposed J-Web interface, of which 3,000 were in South Korea, 857 in the United States and 372 in Hong Kong. How many of these might have been patched to fix the vulnerabilities wasn’t clear.
‘Moderate’ Flaws Combine for ‘Critical’ Risk
While each of the J-Web vulnerabilities in Juno OS is classed as being of moderate severity on its own, in combination they pose a critical risk, not least because they facilitate remote code execution. “This is an interesting bug chain, utilizing two bugs that would be near-useless in isolation and combining them for a ‘world ending’ unauthenticated RCE,” watchTowr said, referring to remote code execution.
That’s why cybersecurity experts are warning security teams to treat the vulnerabilities as collectively posing a critical risk and to patch them as quickly as possible.
“When chained, the vulnerabilities permit an unauthenticated user to upload an arbitrary file to the Juno OS file system and then execute it,” Rapid7 said.
Juniper thanked “LYS,” who was working with the DevCore Internship Program in Taiwan, for reporting the vulnerabilities in a coordinated manner, which gave the vendor time to prepare and issue patches, apparently before any hackers had begun to exploit the flaws.
For any organizations using devices that run devices now considered to be “end of engineering” or “end of life,” Juniper warns that no patches will be available. The only way to block the vulnerabilities from being exploited, it said, is to “disable J-Web or limit access to only trusted hosts,” which users of supported devices can also do as a temporary mitigation until they get updates installed.