Vulnerabilities

Juniper SRX firewalls and/or Juniper EX Series switches

Written by Critical Insight | Aug 18, 2023 7:38:00 PM

Juniper has released an "out-of-cycle" Security Bulletin on a series of vulnerabilities discovered in the J-Web component of the JUNO OS SRX and EX Series which, when chained, can be used by an unauthenticated, network-based attacker to achieve Remote Control Execution (RCE) on the device(s). CVSSv3 scores are noted below for each individual vulnerability, however the chained vulnerability has been assigned a CVSSv3 score of 9.8.

CVE-2023-36844 PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series
CVSSv3: 5.3
CVE-2023-36845 PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series
CVSSv3: 5.3
CVE-2023-36846 Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series
CVSSv3: 5.3
CVE-2023-36847 Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series
CVSSv3: 5.3

Affected Versions
These issues affect Juniper Networks Junos OS on SRX Series:

  • All versions prior to 20.4R3-S8;
  • 21.2 versions prior to 21.2R3-S6;
  • 21.3 versions prior to 21.3R3-S5;
  • 21.4 versions prior to 21.4R3-S5;
  • 22.1 versions prior to 22.1R3-S3;
  • 22.2 versions prior to 22.2R3-S2;
  • 22.3 versions prior to 22.3R2-S2, 22.3R3;
  • 22.4 versions prior to 22.4R2-S1, 22.4R3;

These issues affect Juniper Networks Junos OS on EX Series:

  • All versions prior to 20.4R3-S8;
  • 21.2 versions prior to 21.2R3-S6;
  • 21.3 versions prior to 21.3R3-S5;
  • 21.4 versions prior to 21.4R3-S4;
  • 22.1 versions prior to 22.1R3-S3;
  • 22.2 versions prior to 22.2R3-S1;
  • 22.3 versions prior to 22.3R2-S2, 22.3R3;
  • 22.4 versions prior to 22.4R2-S1, 22.4R3.

Mitigations
Per the Juniper Security Bulletin: To prevent remote code execution (RCE), only one PR needs to be fixed per platform.
For EX Series, the following releases have resolved this via PR 1735387:

  • 20.4R3-S8
  • 21.2R3-S6
  • 21.3R3-S5*
  • 21.4R3-S4
  • 22.1R3-S3
  • 22.2R3-S1
  • 22.3R2-S2
  • 22.3R3
  • 22.4R2-S1
  • 22.4R3*
  • 23.2R1
  • and all subsequent releases

For SRX Series, the following releases have resolved this via PR 1735389:

  • 20.4R3-S8
  • 21.2R3-S6
  • 21.3R3-S5*
  • 21.4R3-S5*
  • 22.1R3-S3
  • 22.2R3-S2*
  • 22.3R2-S2
  • 22.3R3
  • 22.4R2-S1
  • 22.4R3*
  • 23.2R1
  • and all subsequent releases
  • Pending Publication

Additional Mitigations
Disable J-Web, or limit access to only trusted hosts..

Additional Resources
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
View full post