Focus on source code security, collect the latest information at home and abroad!
Compile: Code Guard
Networking hardware company Juniper Networks released an "out-of-cycle" security update that fixes multiple vulnerabilities in the J-Web component of the Junos OS. An attacker could exploit these vulnerabilities in combination to achieve remote code execution on vulnerable devices.
All four vulnerabilities have a CVSS score of 9.8 and are classified as Critical, affecting all versions of Junos OS on SRX and EX sequences.
On August 17, 2023, Juniper stated that "by exploiting these vulnerabilities in combination, an unauthenticated network attacker could remotely execute code on the device." The J-Web interface enables users to configure, manage, and monitor Junos OS devices. These vulnerabilities are briefly described below:
CVE-2023-36844 and CVE-2023-36845 (CVSS score 5.3) are two PHP external variable modification vulnerabilities located in J-Web that allow unauthenticated network attackers to control certain important environment variables.
CVE-2023-36846 and CVE-2023-36847 (CVSS score 5.3) are two lack of authentication vulnerabilities in critical functions located in Jniper Networks Junos OS that could allow an unauthenticated network attacker to have limited impact on file system integrity.
Threats can send specially constructed requests, modify certain PHP environment variables, or upload arbitrary files through J-Web, successfully exploiting the above problems.
These bugs have been fixed in the following releases:
EX Series: Junos OS Releases 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4 R3 and 23.2R1.
SRX Series: Junos OS Releases 20.4R3-S8, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4 R3 and 23.2R1.
Users are advised to apply the necessary fixes to mitigate potential remote code execution threats. Juniper Networks recommends that users disable J-Web or allow access only to trusted hosts as a mitigation.
Code Guard Trial Address: https://codesafe.qianxin.com
Open source guard trial address: https://oss.qianxin.com
recommended reading
Online reading version: "2023 China Software Supply Chain Security Analysis Report" full text
Juniper Fixes Multiple Critical Vulnerabilities in Junos OS
High-Severity Juniper Junos OS Vulnerability Affects Enterprise Networking Devices
Original link
https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
Title image: Pixabay License
This article was compiled by Qi Anxin and does not represent the views of Qi Anxin. Please indicate "Reprinted from Qi Anxin Code Guard https://codesafe.qianxin.com".
Qi Anxin code guard (codesafe)
The first domestic product line focusing on software development security.
If you feel good, just click "Looking" or "Like"~