Four Juniper Junos OS flaws can be chained to remotely hack devices

Juniper Networks addressed multiple flaws in the J-Web component of Junos OS that could be chained to achieve remote code execution.

Juniper Networks has released an “out-of-cycle” security update to address four vulnerabilities in the J-Web component of Junos OS. The vulnerabilities could be chained to achieve remote code execution on vulnerable appliances.

The vulnerabilities impact all versions of Junos OS on SRX and EX Series.

“Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability.” reads the advisory published by the vendor.

“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices.”

Below is the list of flaw addressed by Juniper:

The specific issues reported and resolved are listed below:

CVE	CVSS	Summary
CVE-2023-36844	5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)	A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify certain PHP environments variables leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
CVE-2023-36845	5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)	A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables. Utilizing a crafted request an attacker is able to modify a certain PHP environment variable leading to partial loss of integrity, which may allow chaining to other vulnerabilities.
CVE-2023-36846	5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)	A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn’t require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities.
CVE-2023-36847	5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)	A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn’t require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.

The flaws received a cumulative severity Assessment (CVSS) Score of 9.8.

The vendor addressed the flaw with the release of the following versions:

For EX Series, the following releases have resolved this via PR 1735387: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
For SRX Series, the following releases have resolved this via PR 1735389: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S5*, 22.1R3-S3, 22.2R3-S2*, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.

The company as a workaround suggests disabling J-Web, or limiting access to only trusted hosts.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Juniper Networks)