Background On The Vulnerability:
In August, Juniper disclosed the following 4 vulnerabilities which individually received maximum CVSS score of 5.4.
- CVE-2023-36844
- CVE-2023-36845
- CVE-2023-36846
- CVE-2023-36847
T
he 4 vulnerabilities are covered under the following categories “PHP environment variant manipulation” and “Missing Authentication for Critical Function”.When chained together, the vulnerabilities provide a CVSS score of 9.8.
Vulnerability Information so far:
To achieve remote code execution, it was first thought that both CVE-2023-36845 and CVE-2023-36846 had to be exploited. This required two files to be dropped before RCE could be achieved.
Researchers found that by manipulating environment variables rid the need to upload 2 files. This means unauthenticated remote code execution can be performed without the exploitation of any of the other vulnerabilities.
How Critical is this vulnerability?:
Although the CVSS on CVE-2023-36845 is still at 5.4, this is expected to be re-evaluated due to RCE being proved possible without the exploitation of other vulnerabilities.
This vulnerability regardless of score is highly critical and prompt actions should be taken to negate the vulnerability.
It is estimated that around 12000 devices which are exposed to the internet could be vulnerable.
Known Hardware Affected So Far:
CVE-2023-36845 affects the following versions of Junos OS on EX and SRX Series of hardware:
- All versions before 20.4R3-S8
- 21.1 version 21.1R1 and later versions
- 21.2 versions before 21.2R3-S6
- 21.3 versions before 21.3R3-S5
- 21.4 versions before 21.4R3-S5
- 22.1 versions before 22.1R3-S3
- 22.2 versions before 22.2R3-S2
- 22.3 versions before 22.3R2-S2, 22.3R3
- 22.4 versions before 22.4R2-S1, 22.4R3
Recommendations:
- Patches for CVE-2023-36845 were released on 17/08/2023.
- Users should review all Juniper Hardware to check if they are affected by this vulnerability.
- If found to be vulnerable, the relevant patches should be applied as soon as possible.