Merge pull request #670 from DIVD-NL/2023-00035

casefile for DIVD-2023-00035

_cases/2023/DIVD-2023-00035.md

@@ -0,0 +1,72 @@
+---
+layout: case
+title: Remote Code Execution in Juniper Networks SRX- and EX-Series
+excerpt: "By chaining multiple vulnerabilities an attacker is able to execute arbitrary code or commands via specifically crafted requests."
+author: Max van der Horst
+lead: Alwin Warringa
+researchers:
+- Victor Pasman
+- Alwin Warringa
+- Kaj Koole
+- Max van der Horst
+cves:
+- CVE-2023-36844
+- CVE-2023-36845
+- CVE-2023-36846
+- CVE-2023-36847
+- CVE-2023-36851
+product: 
+- Juniper Networks SRX-Series
+- Juniper Networks EX-Series
+- Junos OS
+versions: 
+- All versions before 20.4R3-S8
+- 21.2 versions prior to 21.2R3-S6
+- 21.3 versions prior to 21.3R3-S5
+- 21.4 versions prior to 21.4R3-S5
+- 22.1 versions prior to 22.1R3-S3
+- 22.2 versions prior to 22.2R3-S2
+- 22.3 versions prior to 22.3R2-S2, 22.3R3
+- 22.4 versions prior to 22.4R2-S1, 22.4R3.
+recommendation: Upgrade by installing the issued patch as soon as possible.
+patch_status: patches available
+workaround: Disable J-Web or limit access to trusted devices.
+status : Open
+start: 2023-09-11
+end: 
+timeline:
+- start: 2023-09-11
+  end:
+  event: "DIVD starts scanning for this vulnerability."
+- start: 2023-09-11
+  end:
+  event: "First version of this casefile."
+- start: 2023-09-11
+  end:
+  event: "DIVD starts researching fingerprint"
+# You can set IPs to n/a when this case isn't about IPs (e.g. stolen credentials)
+---
+## Summary
+
+Multiple vulnerabilities have been discovered in Juniper Networks SRX- and EX-Series. By chaining these vulnerabilities, an unauthenticated attacker can achieve Remote Command Execution (RCE) and compromise the underlying operating system. Juniper urges everyone to upgrade to the patched versions as soon as possible. 
+
+## Recommendations
+
+Juniper has released a patch for all affected versions and urges users to install it as soon as possible. If this is not an option, disable J-Web or limit access to trusted devices.
+- For EX Series, the following releases have resolved this via PR 1735387: 20.4R3-S8, 21.2R3-S6, 21.3R3-S5*, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3*, 23.2R1, and all subsequent releases.
+- For SRX Series, the following releases have resolved this via PR 1736942: 20.4R3-S9*, 21.2R3-S7*, 21.3R3-S5*, 21.4R3-S5*, 22.1R3-S4*, 22.2R3-S2*, 22.3R2-S2, 22.3R3-S1*, 22.4R2-S1, 22.4R3*, 23.2R1-S1*, 23.2R2*, 23.4R1*, and all subsequent releases.
+
+## What we are doing
+
+DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps.
+
+
+{% comment %}  Leave this here, so we see a timeline {% endcomment %}
+{% include timeline.html %}
+
+
+## More information
+
+* [Rapid7 Article](https://www.rapid7.com/blog/post/2023/08/31/etr-exploitation-of-juniper-networks-srx-series-and-ex-series-devices/)
+* [Juniper Advisory](https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US&ref=labs.watchtowr.com)
+* [WatchTowr Labs article](https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/)