Researchers demo bug-chaining of Juniper Networks vulnerabilities

Security researchers have published a proof-of-concept for vulnerabilities recently disclosed by Juniper Networks.

The company said that while the vulnerabilities in its EX switches and SRX firewalls rated as low severity on their own, when chained together they enabled remote code execution (RCE) on the switch management interfaces, which lifted the rating to a critical CVSS score of 9.8.

Security company watchTowr has now looked into two of the bugs, CVE-2023-36845 and CVE-2023-36846, which affected the EX series switches, and has demonstrated how the bugs can be exploited.

"We decided to investigate in order to provide network administrators with more information to aid in the recurring 'patch or no patch' decision, and to aid in patch verification," the researchers said.

“Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation”, they warned, adding that users should implement the fixes already published by Juniper.

The researchers examined the PHP code behind the switches’ J-Web UI, and formed the opinion that “proper care has not been taken to address technical debt accrued in the codebase's long 25-year lifespan.”

They found that one part of the code, webauth_operation.php, had an incorrect value in one field.

“Critically it provides a value of false for the doauth parameter, meaning that authentication will not be performed," they wrote.

From there, the watchTowr researchers found what was described in CVE-2023-36846 as an “arbitrary file upload” bug, not in the PHP code but in the switch’s web server.

Hence the first bug let researchers load their PHP shellcode, and a second file instructing the PHP preprocessor to execute it; while the second bug set a variable enabling RCE.

The proof of concept is available at GitHub.