Nearly 12,000 Juniper firewalls vulnerable to a recent RCE flaw discovered
A detailed analysis of the recent RCE vulnerability in Juniper firewalls and how it was exploited
Research has found that more than 12,000 Juniper firewalls across the Internet are vulnerable to a recent security flaw. Attackers can execute malicious code without authentication by exploiting a vulnerability in the J-Web component of Junos OS. Juniper Networks released a patch to fix the issue last month.
New research has found that approximately 12,000 Juniper firewall devices exposed to the Internet are vulnerable to a recent remote code execution (RCE) flaw. VulnCheck, which discovered a new exploit pattern for CVE-2023-36845, said this vulnerability can be exploited by an unauthenticated, remote attacker to execute arbitrary code on Juniper firewalls without creating a file on the system.
The vulnerability CVE-2023-36845
This is a medium severity vulnerability in the J-Web component of Junos OS that could be exploited by an attacker to control certain environment variables. Juniper Networks released a patch for this vulnerability last month along with a patch for three other vulnerabilities, CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847, in a major update.
A Proof-of-Concept (PoC) exploit
Subsequently, the Proof-of-Concept (PoC) exploit developed by watchTowr combined the CVE-2023-36846 and CVE-2023-36845 vulnerabilities to load a PHP file containing malicious shellcode and execute arbitrary code. The latter mode of exploitation, however, affects older systems and can be accomplished using a single cURL command. Notably, it only exploits the CVE-2023-36845 vulnerability to achieve the same goal.
The execution of arbitrary code
This is accomplished by using the standard input stream (aka stdin) to set the PHPRC environment variable to "/dev/fd/0" via a specially crafted HTTP request, effectively turning "/dev/fd/0" into a makeshift file and detecting sensitive information. Execution of arbitrary code is then achieved by leveraging PHP's auto_prepend_file and allow_url_include options in combination with the data:// wrapper protocol.
Follow us on WhatsApp for more pills like this09/19/2023 10:40
Editorial AI