Nearly 12,000 Juniper firewalls vulnerable to a recent RCE flaw discovered

New research has found that approximately 12,000 Juniper firewall devices exposed to the Internet are vulnerable to a recent remote code execution (RCE) flaw. VulnCheck, which discovered a new exploit pattern for CVE-2023-36845, said this vulnerability can be exploited by an unauthenticated, remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system.

The vulnerability CVE-2023-36845

This is a medium severity vulnerability in the J-Web component of Junos OS that could be exploited by an attacker to control certain environment variables. Juniper Networks released a patch for this vulnerability last month along with a patch for three other vulnerabilities, CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847, in a major update.

A Proof-of-Concept (PoC) exploit

Subsequently, the Proof-of-Concept (PoC) exploit developed by watchTowr combined the CVE-2023-36846 and CVE-2023-36845 vulnerabilities to load a PHP file containing malicious shellcode and execute arbitrary code. The latter mode of exploitation, however, affects older systems and can be accomplished using a single cURL command. Notably, it only exploits the CVE-2023-36845 vulnerability to achieve the same goal.

The execution of arbitrary code

This is accomplished by using the standard input stream (aka stdin) to set the PHPRC environment variable to "/dev/fd/0" via a specially crafted HTTP request, effectively turning "/dev/fd/0" into a makeshift file and detecting sensitive information. Execution of arbitrary code is then achieved by leveraging PHP's auto_prepend_file and allow_url_include options in combination with the data:// wrapper protocol.