最后更新于2023年8月31日星期四20:26:07 GMT

2023年8月17日,瞻博网络 发布了一份带外咨询 on four different CVEs affecting Junos OS on SRX and EX Series devices:

CVE-2023-36846影响SRX系列

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, 哪一个 may allow chaining to other vulnerabilities.

CVE-2023-36844影响EX系列

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to control certain important environment variables. Utilizing a crafted request, an attacker is able to modify certain PHP environments variables. This would lead to partial loss of integrity, 哪一个 may allow chaining to other vulnerabilities.

CVE-2023-36847影响EX系列

A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on EX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request that doesn't require authentication, an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, 哪一个 may allow chaining to other vulnerabilities.

CVE-2023-36845影响EX和SRX系列

当链接, the vulnerabilities permit an unauthenticated user to upload an arbitrary file to the JunOS file system and then execute it. It’s unclear exactly 哪一个 issues need to be chained together — our research team was able to execute an attack chain successfully, 但我们没有确定确切的CVE映射. 安全组织Shadowserver 发布在社交媒体上 this week that they’d been seeing exploit attempts against “CVE-2023-36844 and friends” since August 25.

进一步的上下文

Platform mitigations make executing an arbitrary binary difficult, but a 公开概念证明 和相关的 来自瞭望塔的报道 demonstrate how to execute arbitrary PHP code in the context of the root user. 尤其是攻击链 allow for operating system-level code execution — instead, it gives the attacker code execution within a BSD jail, 哪一个 is a stripped-down environment designed to run a single application (in this case the HTTP server). Jails have their own set of users and their own root account 哪一个 are limited to the jail environment, 根据BSD文档.

The vulnerabilities affect the Juniper EX Series (switches) and SRX Series (firewalls). While the issue is on the management interface, these devices tend to have privileged access to corporate networks, and even with code execution restricted to a BSD jail, successful exploitation would likely provide an opportunity for attackers to pivot to organizations’ internal networks.

Juniper software is widely deployed, and Shodan shows 大约10000台设备 facing the internet, although we can't say with certainty how many are vulnerable. The affected Juniper service is J-Web, 哪一个 is enabled 默认情况下 on ports 80 and 443. 来自Juniper的cve被评为CVSS 5.3, but the 咨询 shows a combined CVSS score of 9.8. This sends a mixed message that might confuse users into thinking the impact of the flaws is of only moderate severity, 事实并非如此.

Organizations that are not able to apply the patch should disable J-Web or restrict access to only trusted hosts. 请看瞻博网络 咨询 了解更多信息.

受影响的产品

CVE-2023-36845 and CVE-2023-36846 affect Juniper Networks Junos OS on the following versions of SRX Series:

  • 所有版本之前的20.4R3-S8
  • 21.1版本21.1R1及以后的版本
  • 21.21之前的2个版本.2R3-S6
  • 21.21之前的3个版本.3R3-S5
  • 21.21之前的4个版本.4R3-S5
  • 22.22之前的1个版本.1R3-S3
  • 22.22之前的2个版本.2R3-S2
  • 22.22之前的3个版本.3R2-S2, 22.3R3
  • 22.22之前的4个版本.4R2-S1, 22.4R3

CVE-2023-36844 and CVE-2023-36847 affect Juniper Networks Junos OS on the following versions of EX Series:

  • 所有版本之前的20.4R3-S8
  • 21.1版本21.1R1及以后的版本
  • 21.21之前的2个版本.2R3-S6
  • 21.21之前的3个版本.3R3-S5
  • 21.21之前的4个版本.4R3-S4
  • 22.22之前的1个版本.1R3-S3
  • 22.22之前的2个版本.2R3-S1
  • 22.22之前的3个版本.3R2-S2, 22.3R3
  • 22.22之前的4个版本.4R2-S1, 22.4R3

The vulnerability affects the J-Web component, 哪一个, 默认情况下, listens on ports 80 and 443 of the management interface.

缓解指导

Organizations should patch their devices as soon as is practical. Those that are not able to apply the patch should disable J-Web or restrict access to only trusted hosts. 请看瞻博网络 咨询 了解更多信息.

Rapid7客户

InsightVM and Nexpose customers can assess their exposure to all four CVEs with vulnerability checks released in the August 17 content release.