CVE Junos SRX/EX vulnerability chains to RCE
JunOS SRX/EX Series : Vulnerability chains to RCE
CVE-2023-36844
CVE -2023-36845
CVE -2023-36846
CVE -2023-36847
TL;DR
Affected versions
- Juniper Networks Junos OS SRX Series:
- All versions prior to 20.4R3-S8;
- 21.1 version 21.1R1 and later;
- 21.2 prior to 21.2R3-S6;
- 21.3 prior to 21.3R3-S5;
- 21.4 prior to 21.4R3-S5;
- 22.1 prior to 22.1R3-S3;
- 22.2 prior to 22.2R3-S2;
- 22.3 prior to 22.3R2-S2, 22.3R3;
- 22.4 prior to 22.4R2-S1, 22.4R3;
- Juniper Networks Junos OS EX Series :
- All versions prior to 20.4R3-S8;
- 21.1 version 21.1R1 and later;
- 21.2 prior to 21.2R3-S6;
- 21.3 prior to 21.3R3-S5;
- 21.4 prior to 21.4R3-S4;
- 22.1 prior to 22.1R3-S3;
- 22.2 prior to 22.2R3-S1;
- 22.3 prior to 22.3R2-S2, 22.3R3;
- 22.4 prior to 22.4R2-S1, 22.4R3.
Details
In the August 2023 Cyber Threat Barometer, we mentioned the CVSS rating system. This system, although particularly useful for exchanging information on a given vulnerability, has certains restrictions, as is currently the case with the vulnerabilities published by Juniper on August 17, 2023.
Considered individually, these vulnerabilities do not exceed a score of 5.3 on the CVSS scale (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). However, as the editor points out in its alert, if these vulnerabilities are combined in an attack chain, the CVSSv3.1 score rises to 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), i.e. a critical vulnerability score.
The following vulnerabilities have been published:
Researchers at company Watchtowr have published a report and a proof-of-concept demonstrating the sequence.
Exploitation is relatively simple: first, use the vulnerabilities related to sending an arbitrary file via the CVE-2023-36846 or CVE-2023-36847 vulnerabilities to upload a PHP configuration file and a PHP file. Then, in a second step, use the CVE-2023-36844 or CVE-2023-36845 vulnerabilities to execute the uploaded code.
In practice, and in the code that has been published, the entry point used is ` webauth_operation.php`, which can be called without special authentication. This entry point expects 2 parameter elements `rs` and `rsargs` representing respectively the name of a function to be called from among those available in this context, and its parameters.
The function used in the published attack chain is the `do_upload` function for sending arbitrary files.
Two files are sent:
- The PHP file containing the code we wish to execute
- A PHP configuration file containing the `auto_prepend_file` directive, enabling a file to be included before the file called.
Finally, the second set of vulnerabilities will be used to load this configuration file and enable code execution: a request will be made to the same entry point, simply by making a request specifying `PHPRC` as parameter and the path to the configuration file that was previously sent as the value.
Detection
As this note is being written, there are no rules available to detect these attacks.
Here are some examples of rules for detecting this behavior, based on the published Proof of Concept:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GW CURRENT Request to webauth_operation (possible CVE-2023-36846/CVE-2023-36847)"; flow:established, to_server; http.uri; content: "/webauth_operation.php"; http.method; content: "POST"; http.request_body; content:"do_upload"; content:"fileName"; sid: 1000001; rev:1; metadata: provider Gatewatcher, signature_severity Major; reference:cve, 2023-36846; reference:cve,2023-36847; )
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"GW CURRENT PHPRC variable on webauth_operation (possible CVE-2023-36844/CVE-2023-36845)"; flow:established, to_server; http.uri; content: "/webauth_operation.php"; content:"PHPRC="; distance: 1;sid: 1000002; rev:1; metadata: provider Gatewatcher, signature_severity Major; reference: cve,2023-36846; reference: cve,2023-36847;)
However, it is important to bear in mind the following points:
- These rules are based on the published proof-of-concept, but other variations may be possible (via functions other than do_upload or entry points other than webauth_operation.php).
- As each information system is unique, a rule must always be tested before being deployed in production.
- If traffic to J-Web is encrypted, it will be necessary to decrypt it to detect this type of activity.
Resolution
The software publisher has already made the necessary patches available, so it is imperative to update equipment as soon as possible.
In case it is not possible to update the equipment, or not possible in a near future, the editor recommends to disable the J-Web interface or, at the very least, limiting access to certain identified trusted hosts.
Author : Purple Team Gatewatcher