Juniper Networks has recently addressed a Critical RCE Vulnerability in their SRX Series firewalls and EX Series switches.
This issue, labeled as CVE-2024-21591, is a pre-auth remote code execution vulnerability that can be exploited through the devices’ J-Web configuration interfaces.
Attackers, even those without authentication, can potentially gain root privileges or conduct denial-of-service attacks on devices that have not been patched.
“This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory,”
Juniper networks said in a security advisory published Wednesday.
Junos OS Critical RCE Vulnerability Affected These SRX Firewalls and EX Switches
According to Juniper, their Security Incident Response Team has not found any evidence of active exploitation of this critical RCE vulnerability. However, it is important to address the issue promptly. The affected Junos OS versions for the SRX Series and EX Series devices are as follows:
- Junos OS versions prior to 20.4R3-S9
- Junos OS 21.2 versions prior to 21.2R3-S7
- Junos OS 21.3 versions prior to 21.3R3-S5
- Junos OS 21.4 versions prior to 21.4R3-S5
- Junos OS 22.1 versions prior to 22.1R3-S4
- Junos OS 22.2 versions prior to 22.2R3-S3
- Junos OS 22.3 versions prior to 22.3R3-S2
- Junos OS 22.4 versions prior to 22.4R2-S2 and 22.4R3.
The Juniper critical RCE bug has been successfully addressed in Junos OS versions:
- Junos OS 20.4R3-S9
- Junos OS 21.2R3-S7
- Junos OS 21.3R3-S5
- Junos OS 21.4R3-S5
- Junos OS 22.1R3-S4
- Junos OS 22.2R3-S3
- Junos OS 22.3R3-S2
- Junos OS 22.4R2-S2
- Junos OS 22.4R3
- Junos OS 23.2R1-S1
- Junos OS 23.2R2
- Junos OS 23.4R1
Recommendations to Stay Clear of Critical RCE Issues
Administrators are strongly encouraged to promptly install the security updates or upgrade to the latest version of JunOS. Alternatively, disabling the J-Web interface can eliminate the vulnerability. As a temporary solution, restricting J-Web access to trusted network hosts can mitigate the risk until the patches are applied.
According to data provided by the nonprofit internet security organization Shadowserver, there are over 8,200 Juniper devices with exposed J-Web interfaces online. The majority of these devices are located in South Korea. Additionally, Shodan, a search engine for internet-connected devices, has identified over 9,000 such devices.
CISA and Cyber Watch Dogs Have Warned Against Similar Critical RCE Issues in the Past
In addition to the previously mentioned vulnerabilities, it is important to note that CISA (Cybersecurity and Infrastructure Security Agency) issued a warning in November regarding a real-world exploitation of a Juniper pre-auth RCE (Remote Code Execution) exploit.
This exploit involved chaining four vulnerabilities, namely CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, which affected Juniper’s SRX firewalls and EX switches.
The alert from CISA came several months after ShadowServer initially detected exploitation attempts beginning on August 25. These attempts occurred just one week after Juniper released patches for the vulnerabilities, and coincided with the release of a proof-of-concept (PoC) exploit by watchTowr Labs.
During September, VulnCheck, a vulnerability intelligence firm, discovered that a significant number of Juniper devices remained vulnerable to attacks utilizing this exploit chain. These findings highlight the importance of promptly addressing the vulnerabilities to ensure system security.
On November 17, CISA officially included the four bugs in its Known Exploited Vulnerabilities Catalog. Categorized as “frequent attack vectors for malicious cyber actors” with “significant risks to the federal enterprise,” these vulnerabilities are of great concern to the U.S. cybersecurity agency.
To enforce enhanced security measures, the first binding operational directive (BOD) of the year was issued in June. This directive mandated that federal agencies secure their Internet-exposed or misconfigured networking equipment, including Juniper firewalls and switches, within a two-week timeframe following their discovery.
