{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-059.pdf"
    },
    "title": "Multiple Junos OS Vulnerabilities",
    "serial_number": "2023-059",
    "publish_date": "19-09-2023 09:36:53",
    "description": "Juniper Networks has released fixes to address several vulnerabilities. These vulnerabilities could potentially be chained together to allow unauthorised remote code execution (RCE) on SRX and EX series devices. The combined CVSS score for these flaws is 9.8 (Critical) and a PoC exploit has been publicly released. Therefore, CERT-EU strongly advises users to promptly update their devices to the latest versions, or apply the provided workaround.<br>\n[Update] On September 18, a VulnCheck vulnerability researcher released another PoC exploit that only utilises one of the vulnerabilities, bypassing the need to upload files while still achieving remote code execution.<br>\n",
    "url_title": "2023-059",
    "content_markdown": "---\ntitle: 'Multiple Junos OS Vulnerabilities' \nversion: '1.1'\nnumber: '2023-059'\noriginal_date: 'August 17, 2023'\ndate: 'September 19, 2023'\n---\n\n_History:_\n\n* _29/08/2023 --- v1.0 -- Initial publication_\n* _19/09/2023 --- v1.1 -- Summary and technical details update_\n\n# Summary\n\nJuniper Networks has released fixes to address several vulnerabilities. These vulnerabilities could potentially be chained together to allow unauthorised remote code execution (RCE) on SRX and EX series devices. The combined CVSS score for these flaws is 9.8 (Critical) and a PoC exploit has been publicly released. Therefore, CERT-EU strongly advises users to promptly update their devices to the latest versions, or apply the provided workaround [1,2].\n\n**[Update]** On September 18, a VulnCheck vulnerability researcher released another PoC exploit that only utilises one of the vulnerabilities, bypassing the need to upload files while still achieving remote code execution [4].\n\n# Technical Details\n\nJuniper released a total of four medium-severity vulnerabilities in its EX switches and SRX firewalls. The security flaws were found in the J-Web interface that administrators can use to manage and configure Juniper devices on their networks. \n\nBy utilising a crafted request that does not require authentication, an attacker is able to upload arbitrary files via J-Web, leading to partial loss of integrity, which may allow chaining to other vulnerabilities.\n\nA public exploit has been released exploiting the vulnerability in the following steps [2,3]:\n\n1. A pre-authentication upload vulnerability can be used to upload an arbitrary PHP file to a restricted directory with a randomised file name.\n2. Using the same vulnerable function, an attacker can upload a PHP configuration file (`.ini`) which points to and loads the PHP file from step 1 using the `auto_prepend_file` directive.\n3. As all environment variables can be set via HTTP requests, an adversary may overwrite the environment variable `PHPRC` to load the PHP configuration file from step 2 and trigger the execution of the PHP function declared in step 1.\n\n**[Update]** The second PoC, released on September 18, only utilises **CVE-2023-36845**, bypassing the need to upload files while still achieving remote code execution. It consists in only one curl command that will:\n\n1. Set the PHPRC environment variable to `/dev/fd/0` (used by FreeBSD process to access their stdin).\n2. Include the desired `php.ini` in the HTTP request (using the `auto_prepend_file` directive) to display sensitive data.\n3. By also enabling the `allow_url_include` directive, one can use any protocol wrapper with `auto_prepend_file`, such as `data://` to provide the \u201csecond file\u201d inline without the need to upload it.\n\nConsidering the second PoC, the severity score of **CVE-2023-36845** might be reconsidered as high, or critical.\n\n# Affected Products\n\nThese issues affect Juniper Networks Junos OS on SRX Series:\n\n- All versions prior to 20.4R3-S8;\n- 21.1 version 21.1R1 and later versions;\n- 21.2 versions prior to 21.2R3-S6;\n- 21.3 versions prior to 21.3R3-S5;\n- 21.4 versions prior to 21.4R3-S5;\n- 22.1 versions prior to 22.1R3-S3;\n- 22.2 versions prior to 22.2R3-S2;\n- 22.3 versions prior to 22.3R2-S2, 22.3R3;\n- 22.4 versions prior to 22.4R2-S1, 22.4R3;\n\nThese issues affect Juniper Networks Junos OS on EX Series:\n\n- All versions prior to 20.4R3-S8;\n- 21.1 version 21.1R1 and later versions;\n- 21.2 versions prior to 21.2R3-S6;\n- 21.3 versions prior to 21.3R3-S5;\n- 21.4 versions prior to 21.4R3-S4;\n- 22.1 versions prior to 22.1R3-S3;\n- 22.2 versions prior to 22.2R3-S1;\n- 22.3 versions prior to 22.3R2-S2, 22.3R3;\n- 22.4 versions prior to 22.4R2-S1, 22.4R3.\n \n# Recommendations\n\nFor SRX series, the following releases have resolved the issues:\n\n- 20.4R3-S8 \n- 21.2R3-S6\n- 21.3R3-S5\n- 21.4R3-S5\n- 22.1R3-S3\n- 22.2R3-S2\n- 22.3R2-S2\n- 22.3R3 \n- 22.4R2-S1 \n- 22.4R3\n- 23.2R1\n- All subsequent releases\n\nFor EX series, the following releases have resolved the issues:\n\n- 20.4R3-S8\n- 21.2R3-S6 \n- 21.3R3-S5 \n- 21.4R3-S4 \n- 22.1R3-S3 \n- 22.2R3-S1 \n- 22.3R2-S2 \n- 22.3R3\n- 22.4R2-S1 \n- 22.4R3\n- 23.2R1\n- All subsequent releases\n\nCERT-EU strongly recommends upgrading affected devices.\n\n## Workaround\n\nDisable J-Web, or limit access to only trusted hosts.\n\n# References\n\n[1] <https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US&ref=labs.watchtowr.com>\n\n[2] <https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844?ref=labs.watchtowr.com>\n\n[3] <https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/>\n\n[4] <https://vulncheck.com/blog/juniper-cve-2023-36845>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/08/2023 --- v1.0 -- Initial publication</em></li><li><em>19/09/2023 --- v1.1 -- Summary and technical details update</em></li></ul><h2 id=\"summary\">Summary</h2><p>Juniper Networks has released fixes to address several vulnerabilities. These vulnerabilities could potentially be chained together to allow unauthorised remote code execution (RCE) on SRX and EX series devices. The combined CVSS score for these flaws is 9.8 (Critical) and a PoC exploit has been publicly released. Therefore, CERT-EU strongly advises users to promptly update their devices to the latest versions, or apply the provided workaround [1,2].</p><p><strong>[Update]</strong> On September 18, a VulnCheck vulnerability researcher released another PoC exploit that only utilises one of the vulnerabilities, bypassing the need to upload files while still achieving remote code execution [4].</p><h2 id=\"technical-details\">Technical Details</h2><p>Juniper released a total of four medium-severity vulnerabilities in its EX switches and SRX firewalls. The security flaws were found in the J-Web interface that administrators can use to manage and configure Juniper devices on their networks. </p><p>By utilising a crafted request that does not require authentication, an attacker is able to upload arbitrary files via J-Web, leading to partial loss of integrity, which may allow chaining to other vulnerabilities.</p><p>A public exploit has been released exploiting the vulnerability in the following steps [2,3]:</p><ol><li>A pre-authentication upload vulnerability can be used to upload an arbitrary PHP file to a restricted directory with a randomised file name.</li><li>Using the same vulnerable function, an attacker can upload a PHP configuration file (<code>.ini</code>) which points to and loads the PHP file from step 1 using the <code>auto_prepend_file</code> directive.</li><li>As all environment variables can be set via HTTP requests, an adversary may overwrite the environment variable <code>PHPRC</code> to load the PHP configuration file from step 2 and trigger the execution of the PHP function declared in step 1.</li></ol><p><strong>[Update]</strong> The second PoC, released on September 18, only utilises <strong>CVE-2023-36845</strong>, bypassing the need to upload files while still achieving remote code execution. It consists in only one curl command that will:</p><ol><li>Set the PHPRC environment variable to <code>/dev/fd/0</code> (used by FreeBSD process to access their stdin).</li><li>Include the desired <code>php.ini</code> in the HTTP request (using the <code>auto_prepend_file</code> directive) to display sensitive data.</li><li>By also enabling the <code>allow_url_include</code> directive, one can use any protocol wrapper with <code>auto_prepend_file</code>, such as <code>data://</code> to provide the \u201csecond file\u201d inline without the need to upload it.</li></ol><p>Considering the second PoC, the severity score of <strong>CVE-2023-36845</strong> might be reconsidered as high, or critical.</p><h2 id=\"affected-products\">Affected Products</h2><p>These issues affect Juniper Networks Junos OS on SRX Series:</p><ul><li>All versions prior to 20.4R3-S8;</li><li>21.1 version 21.1R1 and later versions;</li><li>21.2 versions prior to 21.2R3-S6;</li><li>21.3 versions prior to 21.3R3-S5;</li><li>21.4 versions prior to 21.4R3-S5;</li><li>22.1 versions prior to 22.1R3-S3;</li><li>22.2 versions prior to 22.2R3-S2;</li><li>22.3 versions prior to 22.3R2-S2, 22.3R3;</li><li>22.4 versions prior to 22.4R2-S1, 22.4R3;</li></ul><p>These issues affect Juniper Networks Junos OS on EX Series:</p><ul><li>All versions prior to 20.4R3-S8;</li><li>21.1 version 21.1R1 and later versions;</li><li>21.2 versions prior to 21.2R3-S6;</li><li>21.3 versions prior to 21.3R3-S5;</li><li>21.4 versions prior to 21.4R3-S4;</li><li>22.1 versions prior to 22.1R3-S3;</li><li>22.2 versions prior to 22.2R3-S1;</li><li>22.3 versions prior to 22.3R2-S2, 22.3R3;</li><li>22.4 versions prior to 22.4R2-S1, 22.4R3.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>For SRX series, the following releases have resolved the issues:</p><ul><li>20.4R3-S8 </li><li>21.2R3-S6</li><li>21.3R3-S5</li><li>21.4R3-S5</li><li>22.1R3-S3</li><li>22.2R3-S2</li><li>22.3R2-S2</li><li>22.3R3 </li><li>22.4R2-S1 </li><li>22.4R3</li><li>23.2R1</li><li>All subsequent releases</li></ul><p>For EX series, the following releases have resolved the issues:</p><ul><li>20.4R3-S8</li><li>21.2R3-S6 </li><li>21.3R3-S5 </li><li>21.4R3-S4 </li><li>22.1R3-S3 </li><li>22.2R3-S1 </li><li>22.3R2-S2 </li><li>22.3R3</li><li>22.4R2-S1 </li><li>22.4R3</li><li>23.2R1</li><li>All subsequent releases</li></ul><p>CERT-EU strongly recommends upgrading affected devices.</p><h3 id=\"workaround\">Workaround</h3><p>Disable J-Web, or limit access to only trusted hosts.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US&ref=labs.watchtowr.com\">https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US&amp;ref=labs.watchtowr.com</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844?ref=labs.watchtowr.com\">https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844?ref=labs.watchtowr.com</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/\">https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://vulncheck.com/blog/juniper-cve-2023-36845\">https://vulncheck.com/blog/juniper-cve-2023-36845</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}