Juniper

Juniper Networks has released security updates to fix a critical pre-auth remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches.

Found in the devices' J-Web configuration interfaces and tracked as CVE-2024-21591, this critical security flaw can also be exploited by unauthenticated threat actors to get root privileges or launch denial-of-service (DoS) attacks against unpatched devices.

"This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory," the company explained in a security advisory published Wednesday.

At the moment, Juniper's Security Incident Response Team has no evidence that the vulnerability is being exploited in the wild.

The complete list of vulnerable Junos OS versions affected by the SRX Series and EX Series J-Web bug includes:

  • Junos OS versions earlier than 20.4R3-S9
  • Junos OS 21.2 versions earlier than 21.2R3-S7
  • Junos OS 21.3 versions earlier than 21.3R3-S5
  • Junos OS 21.4 versions earlier than 21.4R3-S5
  • Junos OS 22.1 versions earlier than 22.1R3-S4
  • Junos OS 22.2 versions earlier than 22.2R3-S3
  • Junos OS 22.3 versions earlier than 22.3R3-S2
  • Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

The bug has been addressed in Junos OS 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases.

Admins are advised to immediately apply the security updates or upgrade JunOS to the latest release or, at least, disable the J-Web interface to remove the attack vector.

Another temporary workaround is to restrict J-Web access to only trusted network hosts until patches are deployed.

According to data from nonprofit internet security organization Shadowserver, more than 8,200 Juniper devices have their J-Web interfaces exposed online, most from South Korea (Shodan also tracks over 9,000).

Juniper devices with Internet-exposed J-Web interfaces
Juniper devices with Internet-exposed J-Web interfaces (Shodan)

​CISA also warned in November of a Juniper pre-auth RCE exploit used in the wild, chaining four bugs tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847 and impacted the company's SRX firewalls and EX switches.

The alert came months after ShadowServer detected the first exploitation attempts on August 25, one week after Juniper released patches and as soon as watchTowr Labs released a proof-of-concept (PoC) exploit.

In September, vulnerability intelligence firm VulnCheck found thousands of Juniper devices still vulnerable to attacks using this exploit chain.

CISA added the four bugs to its Known Exploited Vulnerabilities Catalog on November 17, tagging them as "frequent attack vectors for malicious cyber actors" with "significant risks to the federal enterprise."

The U.S. cybersecurity agency issued the first binding operational directive (BOD) of the year last June, requiring federal agencies to secure their Internet-exposed or misconfigured networking equipment (such as Juniper firewalls and switches) within a two-week window following discovery.

Related Articles:

HPE Aruba Networking fixes four critical RCE flaws in ArubaOS

Over 1,400 CrushFTP servers vulnerable to actively exploited bug

Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks