September 20, 2023 Update

In an update to the original CVE-2023-36845 and CVE-2023-36846 vulnerabilities, new information has emerged, shedding further light on the critical nature of CVE-2023-36845. While Juniper initially scored this vulnerability as a medium-severity issue, VulnCheck’s research has revealed a startling capability within CVE-2023-36845 to achieve unauthenticated remote code execution (RCE) without the need to create any files on the system. This development significantly escalates the risk associated with this vulnerability.

VulnCheck demonstrates that an attacker can leverage CVE-2023-36845 to execute arbitrary code on Juniper firewalls and EX switches, without leaving any trace on the disk. This method involves manipulating an environment variable and using a setting to force the execution of malicious code. This approach allows for unauthenticated code execution via a clever manipulation of PHP features. What’s particularly concerning is that approximately 80% of internet-facing Juniper devices remain unpatched, making them susceptible to this unauthenticated code execution exploit.

Furthermore, VulnCheck has released a vulnerability scanner to identify firewalls vulnerable to CVE-2023-36845. This new information underscores the urgency for organizations to promptly apply patches and follow best practices in securing their network infrastructure, especially when it comes to critical network components like firewalls. The risk posed by this vulnerability remains substantial, with attackers actively probing for potential targets, emphasizing the critical need for mitigation and proactive security measures within affected organizations.

As of August 29

Based on data found in a recent out-of-cycle security bulletin released by Juniper Networks, watchTowr Labs produced a proof-of-concept (PoC) exploit which combined two vulnerabilities into a compound critical vulnerability. Although individually these vulnerabilities are rated at 5.3 on the CVSS (Common Vulnerability Scoring System) scale, they can be exploited in tandem, to achieve a critical 9.8 rating potentially leading to RCE.

The affected devices include Juniper’s EX series devices, which function as switches, and SRX series devices, which serve as firewalls, both running on Junos OS. The vulnerabilities in question were both found in the PHP web interface known as J-Web and are identified as:

  • CVE-2023-36846 – “Missing Authentication for Critical Function vulnerability”
    • Allows attackers to upload arbitrary files through J-Web without proper authentication, leading to a potential loss of integrity within the file system.
  • CVE-2023-36845 – “PHP External Variable Modification vulnerability”
    • Enables attackers to modify specific PHP environment variables, possibly leading to a partial loss of integrity and potentially enabling chaining to other vulnerabilities.

Researchers at watchTowr Labs were able to devise a method of combining both vulnerabilities to achieve unauthenticated RCE. The versions of Junos OS that are vulnerable to this combination exploit are:

  • 22.4 versions before 22.4R2-S1, 22.4R3
  • 22.3 versions before 22.3R2-S2, 22.3R3
  • 22.2 versions before 22.2R3-S2
  • 22.1 versions before 22.1R3-S3
  • 21.4 versions before 21.4R3-S5
  • 21.3 versions before 21.3R3-S5
  • 21.2 versions before 21.2R3-S6
  • All versions before 20.4R3-S8

This discovery serves as a reminder of the importance of robust coding practices, secure configurations, and vigilant patch management. As the vulnerabilities expose crucial network components, administrators are advised to follow Juniper’s recommendations, including disabling J-Web when not in use and implementing strict access controls. With cyber threats evolving rapidly, it is essential to stay informed and maintain a proactive stance against potential security breaches.

Bytes & Insights: The Key Takeaways 

In Summary: A recent security alert from Juniper Networks has identified serious vulnerabilities in the company’s networking devices, particularly the Junos OS used in switches and firewalls. These vulnerabilities, if exploited together, could lead to remote code attacks with severe consequences.

Why It Matters: The severity of the vulnerabilities and their potential impact on network infrastructure could allow attackers to execute malicious code remotely, potentially compromising sensitive data and system integrity. The affected devices play critical roles in network operations, with switches and firewalls being essential components. MSPs should proactively assess their clients’ systems, ensure patches are applied promptly, and follow Juniper’s recommendations, including restricting J-Web access and enforcing strong access controls. Staying informed and implementing robust security measures is paramount to prevent potential breaches.


To learn more about the importance of patching and the dangers of public PoCs, tune in to our on-demand webinar here.

The Blackpoint Brief

The Blackpoint Brief is our monthly e-newsletter that covers the latest APG research, SOC saves, sales resources, webinars, and in-person events. Stay up to date so that you can best protect your clients.