Juniper Networks is warning of four vulnerabilities in two versions of its Junos OS operating system, which can be chained for unauthenticated remote code execution (RCE).
The “out of cycle” bulletin covers Junos OS on SRX and EX systems, and were discovered by an unnamed third party researcher.
The chain comprises four individual vulnerabilities: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847.
On their own, each of these vulnerabilities only rates a CVSS score of 5.3 (medium), but chained, they score 9.8 (critical).
CVE-2023-36844 is a PHP external variable modification vulnerability in the J-Web interface in Junos OS on EX.
It allows the attacker to “control certain, important environment variables”, and with a crafted request, the attacker could chain the bug to other vulnerabilities.
CVE-2023-36845 is a similar PHP bug in Junos OS on SRX systems.
CVE-2023-36846 and CVE-2023-36847 are missing authentication bugs on SRX and EX, respectively: “With a specific request that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain part of the file system, which may allow chaining to other vulnerabilities.”
Fixes are available for affected versions.
