New Juniper Junos OS Flaws Expose Devices to Remote Attacks

Aug 19, 2023 by iHash Leave a Comment

Aug 19, 2023THNNetwork Security / Vulnerability

Networking hardware company Juniper Networks has released an “out-of-cycle” security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations.

The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series.

“By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices,” the company said in an advisory released on August 17, 2023.

The J-Web interface allows users to configure, manage, and monitor Junos OS devices. A brief description of the flaws is as follows –

CVE-2023-36844 and CVE-2023-36845 (CVSS scores: 5.3) – Two PHP external variable modification vulnerabilities in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to control certain, important environments variables.
CVE-2023-36846 and CVE-2023-36847 (CVSS scores: 5.3) – Two missing authentications for critical function vulnerabilities in Juniper Networks Junos OS on EX Series and SRX Series allow an unauthenticated, network-based attacker to cause limited impact to the file system integrity.

A threat actor could send a specially crafted request to modify certain PHP environment variables or upload arbitrary files via J-Web sans any authentication to successfully exploit the aforementioned issues.

The vulnerabilities have been addressed in the below versions –

EX Series – Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1
SRX Series – Junos OS versions 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3, and 23.2R1

Users are recommended to apply the necessary fixes to mitigate potential remote code execution threats. As a workaround, Juniper Networks is suggesting that users either disable J-Web or limit access to only trusted hosts.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source link

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Wewatch V70 Pro 1080p 500 Lumen Projector for $169

Expires September 26, 2024 06:59 PST Buy now and get 32% off KEY FEATURES The Wewatch V70 Pro Projector is built with a 5.8-inch LCD display and TFT LCD display technology to project stunning visuals. Its light source brightness ranges from 17000 to 28000LM, with an ANSI brightness of 350LM to 500LM. The standard resolution […]

Heard on the Street – 9/26/2023

Welcome to insideBIGDATA’s “Heard on the Street” round-up column! In this regular feature, we highlight thought-leadership commentaries from members of the big data ecosystem. Each edition covers the trends of the day with compelling perspectives that can provide important insights to give you a competitive advantage in the marketplace. We invite submissions with a focus […]

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Sep 25, 2023THNCyber Attack / Phishing Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. “Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service […]

The 24-Hour Chatbot for $12

Expires September 26, 2123 07:59 PST Buy now and get 74% off KEY FEATURES The best way to implement AI in your business. Welcome to the 24-hout chatbot! This course teaches you to build a chatbot with Python. The best part? You can train your chatbot to use your own contextual data, so it responds […]

Why Investors have to Appreciate the Diversity of AI

Since late last year, the global conversation about AI has been focused on large language models like OpenAI’s GPT-4 and Google’s Bard. LLMs have improved with remarkable speed, and ChatGPT is now the fastest-growing consumer application ever. It’s no wonder that LLMs have captured the public imagination, but AI has countless applications – including many that we […]

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.2.0

Pangu has updated its jailbreak utility for iOS 9.0 to 9.0.2 with a fix for the manage storage bug and the latest version of Cydia. Change log V1.2.0 (2015-10-27) 1. Bundle latest Cydia with new Patcyh which fixed failure to open url scheme in MobileSafari 2. Fixed the bug that “preferences -> Storage&iCloud Usage -> […]

Apple Blocks Pangu Jailbreak Exploits With Release of iOS 9.1

Apple has blocked exploits used by the Pangu Jailbreak with the release of iOS 9.1. Pangu was able to jailbreak iOS 9.0 to 9.0.2; however, in Apple’s document on the security content of iOS 9.1, PanguTeam is credited with discovering two vulnerabilities that have been patched.

Pangu Releases Updated Jailbreak of iOS 9 Pangu9 v1.1.0

Pangu has released an update to its jailbreak utility for iOS 9 that improves its reliability and success rate. Change log V1.1.0 (2015-10-21) 1. Improve the success rate and reliability of jailbreak program for 64bit devices 2. Optimize backup process and improve jailbreak speed, and fix an issue that leads to fail to […]

Activator 1.9.6 Released With Support for iOS 9, 3D Touch

Ryan Petrich has released Activator 1.9.6, an update to the centralized gesture, button, and shortcut manager, that brings support for iOS 9 and 3D Touch.

Wewatch V70 Pro 1080p 500 Lumen Projector for $169

The Rosetta Stone + Microsoft Office for Mac Lifetime Bundle for $199

The 24-Hour Chatbot for $12

The 2024 Complete Presentation & Public Speaking Bundle for $24

Apple iPhone XS Max (A1921) 64GB – Gold (Grade A+ Refurbished: Wi-Fi + Unlocked) for $349

New Juniper Junos OS Flaws Expose Devices to Remote Attacks

Wewatch V70 Pro 1080p 500 Lumen Projector for $169

The Rosetta Stone + Microsoft Office for Mac Lifetime Bundle for $199

The 24-Hour Chatbot for $12

The 2024 Complete Presentation & Public Speaking Bundle for $24

Apple iPhone XS Max (A1921) 64GB – Gold (Grade A+ Refurbished: Wi-Fi + Unlocked) for $349

Share this:

Reader Interactions

Leave a ReplyCancel reply