Recent research has revealed that nearly 12,000 Juniper firewall devices, connected to the internet, are susceptible to a newly discovered flaw that allows remote code execution.
VulnCheck, the organization behind the discovery of the exploit for CVE-2023-36845, highlighted that this vulnerability could be exploited by an unauthorized attacker to execute arbitrary code on Juniper firewalls without leaving a trace on the system.
The vulnerability, classified as a medium-severity flaw in the J-Web component of Junos OS, is known as CVE-2023-36845. It enables a threat actor to manipulate specific environment variables, providing control over the affected system. Juniper Networks addressed this vulnerability, along with CVE-2023-36844, CVE-2023-36846, and CVE-2023-36847, in a patch released last month outside of the regular update cycle.
A proof-of-concept (PoC) exploit created by watchTowr combined CVE-2023-36846 and CVE-2023-36845 to upload a PHP file containing malicious shellcode, ultimately resulting in code execution.
The latest exploit, however, targets older systems and can be executed using a single cURL command. It solely relies on CVE-2023-36845 to achieve its objective.
To accomplish this, the exploit uses the standard input stream (stdin) to configure the PHPRC environment variable to “/dev/fd/0” through a carefully crafted HTTP request. This effectively transforms “/dev/fd/0” into a makeshift file, allowing for the extraction of sensitive information.
Arbitrary code execution is then facilitated by utilizing PHP’s auto_prepend_file and allow_url_include options in combination with the data:// protocol wrapper.
Jacob Baines has emphasized the importance of examining unpatched Juniper firewalls for signs of compromise, as firewalls are attractive targets for APTs due to their ability to provide access to protected networks and serve as potential hosts for C2 infrastructure.
Juniper has stated that no successful exploitation of this vulnerability has been reported by its customers. However, the company has detected attempts to exploit the flaw in real-world situations, underscoring the need for users to promptly apply the necessary patches to mitigate potential threats.