On 17 August 2023, Juniper Networks released out-of-band fixes for multiple vulnerabilities that could be chained together to achieve unauthenticated remote code execution (RCE) on SRX and EX series devices. The vulnerabilities impact the J-Web component of Junos OS, the operating system running on the devices.
The vulnerabilities were discovered and responsibly disclosed by security researchers during external security research. At this time, we have not observed active exploitation or a public proof of concept published for these vulnerabilities. However, threat actors have historically targeted Juniper products by leveraging a path traversal vulnerability (CVE-2020-1631) in Junos OS, according to CISA’s Known Exploited Vulnerabilities Catalog. Due to the potential for unauthenticated remote code execution and historical targeting of Junos OS, Arctic Wolf strongly recommends upgrading to the latest available fixes for all impacted devices.
| Vulnerability | CVSS Score | Exploitation |
| CVE-2023-36844 | CVSS: 5.3 – Medium | Not actively exploited |
| A PHP External Variable Modification vulnerability in the J-Web component of Junos OS EX series devices that could allow unauthenticated threat actors to control and modify certain PHP environment variables. Can be chained with others to obtain unauthenticated RCE. | ||
| CVE-2023-36845 | CVSS: 5.3 – Medium | Not actively exploited |
| A PHP External Variable Modification vulnerability in the J-Web component of Junos OS EX and SRX series devices that could allow unauthenticated threat actors to control and modify certain PHP environment variables. Can be chained with others to obtain unauthenticated RCE. | ||
| CVE-2023-36846 | CVSS: 5.3 – Medium | Not actively exploited |
| A Missing Authentication for Critical Function vulnerability in Junos OS SRX series devices that could allow unauthenticated threat actors to upload arbitrary files via the J-Web component. Can be chained with others to obtain unauthenticated RCE. | ||
| CVE-2023-36847 | CVSS: 5.3 – Medium | Not actively exploited |
| A Missing Authentication for Critical Function vulnerability in Junos OS EX series devices that could allow unauthenticated threat actors to upload arbitrary files via the J-Web component. Can be chained with others to obtain unauthenticated RCE. | ||
Arctic Wolf is actively monitoring intelligence sources for potential campaigns, indicators of compromise and TTPs associated with these vulnerabilities.
Recommendation: Apply the Latest Fixes Released by Juniper Networks
Arctic Wolf strongly recommends reviewing Juniper Networks’ Knowledge Base article to access and apply the relevant fixes. Customer login is required.
| Product | Impacted Versions | Fixed Version |
| Junos OS on SRX Series Devices |
|
|
| Junos OS on EX Series Devices |
|
|
Please follow your organisation’s patching and testing guidelines to avoid any operational impact.
Workaround: Disable J-Web Component
If applying the latest fix is not feasible, we strongly recommend applying Juniper Network’s workaround. Juniper Networks recommends disabling the J-Web component or limiting access to trusted hosts until the fix can be applied.
References
