Hackers have begun exploiting not too long ago patched vulnerabilities in Juniper Networks firewalls that may be chained collectively to attain distant code execution. Exploit particulars and a proof-of-concept have been launched late final week by a staff of safety researchers.
“That is an attention-grabbing bug chain, using two bugs that might be near-useless in isolation and mixing them for a ‘world ending’ unauthenticated RCE,” researchers from safety agency watchTowr stated of their detailed evaluation. “These operating an affected gadget are urged to replace to a patched model at their earliest alternative, and/or to disable entry to the J-Net interface if in any respect potential.”
4 Juniper bugs however solely two wanted
On August 18, Juniper patched 4 vulnerabilities in its SRX Sequence and EX Sequence firewalls. The issues are within the J-Net element of Junos OS, the working system of Juniper firewall gadgets, and are all rated 5.3 out of 10 on the CVSS scale. This interprets to a criticality of medium, which is mostly handled with decrease precedence in patching cycles. Nonetheless, on this explicit case, a few of the vulnerabilities may be chained collectively to attain distant code execution with out authentication, which Juniper clearly warns in its advisory.
Two flaws, CVE-2023-36846 and CVE-2023-36847, are related and permit an unauthenticated attacker to ship specifically crafted requests to a tool that might permit them to add arbitrary recordsdata by way of J-Net to the file system. The opposite two flaws CVE-2023-36844 and CVE-2023-36845, are additionally related to one another and each permit an unauthenticated attacker to switch sure PHP environments variables.
Following Juniper’s advisory, researchers from watchTowr have been intrigued concerning the risk to chain these flaws so got down to examine them. It seems that solely two are wanted to attain the assault, one file add and an atmosphere variable modification.
First, they discovered the CVE-2023-36846 vulnerability by wanting on the inside capabilities of the J-Net interface, which is a PHP utility. They positioned one referred to as do_upload that handles the add of recordsdata and instantly seen that it lacked an authentication test. Due to this fact, exploitation was easy, however the add file was positioned in a tmp folder and it appeared that the online server itself was operating as a jailed course of.
/cdn.vox-cdn.com/uploads/chorus_asset/file/24882754/Screenshot_2023_08_29_at_6.27.01_PM.png "SiriusXM’s Adam Sachs on why Team Coco and other podcasts are showing up on the radio")
