A vulnerability in Juniper Networks’ EX switches and SRX firewalls that first emerged in August is in the spotlight again, with researchers disclosing a fileless exploit that doesn’t require bug-chaining.
The original advisory was that three lower-rated bugs became critical if chained together, and watchTwr demonstrated how two of the bugs - CVE-2023-36845 and CVE-2023-36846 - could be exploited for remote code execution (RCE) on some devices.
On September 18, VulnCheck’s Jacob Bains went a step further, claiming one of the CVEs, CVE-2023-36845, could be exploited without chaining.
Bains said that VulnCheck’s proof-of-concept delivered RCE on the SRX firewalls without chaining any of the other vulnerabilities.
VulnCheck’s attack also works without the attacker needing to drop a file on the target machine. It uses PHP’s auto_prepend_file and allow_url_include functions.
Juniper has now confirmed VulnCheck’s work in an out-of-cycle security bulletin.
“A variation of the exploit for the code execution vulnerability (CVE-2023-36845) has been published that works without a previous file upload,” Juniper’s advisory stated.
“Therefore it is important to fix the ability to execute code”.
All supported versions of Junos OS have been patched.
