Threat intelligence firm VulnCheck has published details on a new exploit targeting a recent Junos OS vulnerability and says that thousands of Juniper Networks appliances that have not been patched are at risk.
The flaw, tracked as CVE-2023-36845, is described as a PHP environment variable manipulation issue in the J-Web interface of Juniper’s SRX series firewalls and EX series switches running specific Junos OS versions.
In mid-August, the networking appliances maker released patches for this bug and three other medium-severity issues, warning that an attacker could chain them to achieve remote code execution (RCE) on a vulnerable device, and that the exploit chain should be considered as having a ‘critical severity’ rating.
Roughly one week after Juniper’s patches and following the release of a proof-of-concept (PoC) exploit chaining two of the vulnerabilities, the first malicious attacks targeting the flaws were observed.
Now, VulnCheck says it has developed a new exploit that targets CVE-2023-36845 only, and which leads to RCE without chaining with other bugs.
What’s more, the threat intelligence firm says that the exploit allows an unauthenticated attacker to execute code without creating a file on the vulnerable Juniper appliance’s system, and that most of the internet-exposed Juniper devices remain vulnerable, as they have not been patched yet.
In devising the fileless attack, VulnCheck used as a research base the previously released PoC exploit, which relied on uploading two files to the vulnerable appliance to achieve RCE.
VulnCheck discovered that it could leak sensitive information and achieve remote code execution via an HTTP request, by abusing legitimate FreeBSD functions (the vulnerable devices run FreeBSD) and without dropping a single file on the system.
“Just like that, by only using CVE-2023-36845, we’ve achieved unauthenticated and remote code execution without actually dropping a file on disk. Our private exploit establishes a reverse shell, but that’s quite trivial once you’ve reached this point,” VulnCheck notes.
To check the number of potentially affected devices that are exposed to the internet, VulnCheck performed a Shodan search, which returned roughly 15,000 results. An analysis of approximately 3,000 of these devices showed that 79% are not patched against CVE-2023-36845.
“Firewalls are interesting targets to APT as they help bridge into the protected network and can serve as useful hosts for [command-and-control] infrastructure. Anyone who has an unpatched Juniper firewall should examine it for signs of compromise,” VulnCheck notes.