{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-008.pdf"
    },
    "title": "Critical Vulnerabilities in Junos OS",
    "serial_number": "2024-008",
    "publish_date": "15-01-2024 09:22:00",
    "description": "On January 10, 2024, Juniper released a security advisory addressing a critical vulnerability that, if exploited, could lead to a Denial of Service (DoS), or Remote Code Execution (RCE).<br>\nWhile Juniper SIRT is not aware of any malicious exploitation of this vulnerability, it is recommended upgrading as soon as possible.<br>\n",
    "url_title": "2024-008",
    "content_markdown": "---\ntitle: 'Critical Vulnerabilities in Junos OS'\nnumber: '2024-008'\nversion: '1.0'\noriginal_date: 'January 10, 2024'\ndate: 'January 15, 2024'\n---\n\n_History:_\n\n* _15/01/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn January 10, 2024, Juniper released a security advisory addressing a critical vulnerability that, if exploited, could lead to a Denial of Service (DoS), or Remote Code Execution (RCE) [1].\n\nWhile Juniper SIRT is not aware of any malicious exploitation of this vulnerability, it is recommended upgrading as soon as possible.\n\n# Technical Details\n\nThe vulnerability `CVE-2024-21591`, with a CVSS score of 9.8, is due to an insecure function allowing an attacker to overwrite arbitrary memory. It allows a network-based attacker to cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device.\n\nTo be vulnerable, at least one of the following configurations needs to be used on the device:\n\n- `[system services web-management http]`\n- `[system services web-management https]`\n\n# Affected Products\n\nThis issue affects Juniper Networks Junos OS SRX Series and EX Series:\n\n- Junos OS versions earlier than 20.4R3-S9;\n- Junos OS 21.2 versions earlier than 21.2R3-S7;\n- Junos OS 21.3 versions earlier than 21.3R3-S5;\n- Junos OS 21.4 versions earlier than 21.4R3-S5;\n- Junos OS 22.1 versions earlier than 22.1R3-S4;\n- Junos OS 22.2 versions earlier than 22.2R3-S3;\n- Junos OS 22.3 versions earlier than 22.3R3-S2;\n- Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.\n\n# Recommendations\n\nIt is strongly recommended upgrading all Junos OS to one of the fixed versions (or newer). It is also recommended limiting the J-Web configuration interface access to only trusted hosts and networks.\n\n## Workaround\n\nIf the update is not possible, a workaround is possible by disabling J-Web, or limit J-Web access to only trusted hosts.\n\n# References\n\n[1] <https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/01/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On January 10, 2024, Juniper released a security advisory addressing a critical vulnerability that, if exploited, could lead to a Denial of Service (DoS), or Remote Code Execution (RCE) [1].</p><p>While Juniper SIRT is not aware of any malicious exploitation of this vulnerability, it is recommended upgrading as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2024-21591</code>, with a CVSS score of 9.8, is due to an insecure function allowing an attacker to overwrite arbitrary memory. It allows a network-based attacker to cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device.</p><p>To be vulnerable, at least one of the following configurations needs to be used on the device:</p><ul><li><code>[system services web-management http]</code></li><li><code>[system services web-management https]</code></li></ul><h2 id=\"affected-products\">Affected Products</h2><p>This issue affects Juniper Networks Junos OS SRX Series and EX Series:</p><ul><li>Junos OS versions earlier than 20.4R3-S9;</li><li>Junos OS 21.2 versions earlier than 21.2R3-S7;</li><li>Junos OS 21.3 versions earlier than 21.3R3-S5;</li><li>Junos OS 21.4 versions earlier than 21.4R3-S5;</li><li>Junos OS 22.1 versions earlier than 22.1R3-S4;</li><li>Junos OS 22.2 versions earlier than 22.2R3-S3;</li><li>Junos OS 22.3 versions earlier than 22.3R3-S2;</li><li>Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>It is strongly recommended upgrading all Junos OS to one of the fixed versions (or newer). It is also recommended limiting the J-Web configuration interface access to only trusted hosts and networks.</p><h3 id=\"workaround\">Workaround</h3><p>If the update is not possible, a workaround is possible by disabling J-Web, or limit J-Web access to only trusted hosts.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591\">https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}