Approximately 12,000 Juniper firewall devices, accessible on the internet, have been identified as susceptible to a newly disclosed remote code execution vulnerability.
The vulnerability, identified as CVE-2023-36845, was brought to light by VulnCheck, a prominent player in vulnerability assessment.
This flaw poses a noteworthy risk, as it can be exploited by an unauthenticated and remote attacker to execute arbitrary code on Juniper firewalls without leaving a trace in the system.
CVE-2023-36845 specifically targets the J-Web component of Junos OS, manifesting as a medium-severity vulnerability. It holds the potential to be weaponized by threat actors to manipulate critical environment variables.
However, a subsequent proof-of-concept (PoC) exploit, devised by watchTowr, ingeniously combined CVE-2023-36846 and CVE-2023-36845. This PoC allowed for the upload of a PHP file containing malicious shellcode, ultimately leading to code execution.
Notably, a more recent variant of this exploit targets older systems and can be executed with a single cURL command. This streamlined approach focuses solely on CVE-2023-36845.
It leverages the standard input stream (stdin) to manipulate the PHPRC environment variable, effectively transforming “/dev/fd/0” into a makeshift file and potentially exposing sensitive information.
The execution of arbitrary code is achieved through the orchestration of PHP’s auto_prepend_file and allow_url_include options in conjunction with the data:// protocol wrapper.
Cybersecurity expert Jacob Baines highlights the significance of this vulnerability, particularly due to firewalls’ role as enticing targets for Advanced Persistent Threats (APTs).
These devices often serve as a gateway into protected networks and can host critical Command and Control (C2) infrastructure. Therefore, it is imperative for organizations utilizing unpatched Juniper firewalls to diligently inspect their systems for any signs of compromise.
While Juniper Networks has not reported successful exploits against its customers, it has detected malicious attempts in the wild. Consequently, users are strongly advised to promptly implement the necessary patches to mitigate potential threats and fortify their cybersecurity posture.