From 2f039d32fe6181ed0d21327712a73278aafbf981 Mon Sep 17 00:00:00 2001 From: Maximand Date: Mon, 11 Sep 2023 21:39:53 +0200 Subject: [PATCH] casefile for DIVD-2023-00035 --- _cases/2023/DIVD-2023-00035.md | 65 ++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 _cases/2023/DIVD-2023-00035.md diff --git a/_cases/2023/DIVD-2023-00035.md b/_cases/2023/DIVD-2023-00035.md new file mode 100644 index 00000000..9091f6bf --- /dev/null +++ b/_cases/2023/DIVD-2023-00035.md @@ -0,0 +1,65 @@ +--- +layout: case +title: Remote Code Execution in Juniper Networks SRX- and EX-Series +excerpt: "A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on SRX and EX Series allows an unauthenticated, network-based attacker to control certain, important environments variables." +author: Max van der Horst +lead: Max van der Horst +researchers: +- Victor Pasman +- Alwin Warringa +- Max van der Horst +cves: +- CVE-2023-36844 +- CVE-2023-36845 +- CVE-2023-36846 +- CVE-2023-36847 +product: +- Juniper Networks SRX-Series +- Juniper Networks EX-Series +- Junos OS +versions: +- All versions before 20.4R3-S8 +- * 21.2 versions prior to 21.2R3-S6 +- * 21.3 versions prior to 21.3R3-S5 +- * 21.4 versions prior to 21.4R3-S5 +- * 22.1 versions prior to 22.1R3-S3 +- * 22.2 versions prior to 22.2R3-S2 +- * 22.3 versions prior to 22.3R2-S2, 22.3R3 +- * 22.4 versions prior to 22.4R2-S1, 22.4R3. +recommendation: Upgrade by installing the issued patch as soon as possible. +patch_status: Mitigated +workaround: Disable J-Web or limit access to trusted devices. +status : Open +start: 2023-09-11 +end: +timeline: +- start: 2023-09-11 + end: + event: "DIVD starts scanning for this vulnerability." +- start: 2023-08-22 + end: + event: "First version of this casefile." +# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials) +--- +## Summary + +Multiple vulnerabilities have been discovered in Juniper Networks SRX- and EX-Series. By chaining these vulnerabilities, an unauthenticated attacker can achieve Remote Command Execution and compromise the underlying operating system. Juniper urges everyone to upgrade to the patched versions as soon as possible. + +## Recommendations + +Juniper has released a patch for all affected versions and urges users to install it as soon as possible. If this is not an option, disable J-Web or limit access to trusted devices. + +## What we are doing + +DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps. + + +{% comment %} Leave this here, so we see a timeline {% endcomment %} +{% include timeline.html %} + + +## More information + +* [Rapid7 Article](https://www.rapid7.com/blog/post/2023/08/31/etr-exploitation-of-juniper-networks-srx-series-and-ex-series-devices/) +* [Juniper Advisory](https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US&ref=labs.watchtowr.com) +* [WatchTowr Labs article](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/)