Three quarters of all Juniper firewalls remain vulnerable to remote unauthenticated attacks

One month after the announcement of a series of vulnerabilities impacting Juniper SRX firewalls and EX switches, VulnCheck reports that approximately 79% of public-facing Juniper SRX firewalls are still vulnerable. This flaw permits unauthenticated attackers to execute code remotely on affected devices without needing to drop a file onto the device's disk.

Despite the known vulnerabilities, a significant number of affected internet-facing firewalls (about 15,000 devices) remain unpatched.

Juniper Networks acknowledged and addressed five distinct vulnerabilities in an out-of-cycle security bulletin on August 17. However, it wasn't until September 7 that the company updated the advisory after security researchers demonstrated a proof-of-concept (PoC) exploit. Two of these vulnerabilities are related to PHP external variable modification (CVE-2023-36844 and CVE-2023-36845), while the remaining three are categorized as "Missing Authentication for Critical Function vulnerabilities" (CVE-2023-36846, CVE-2023-36847, and CVE-2023-36851).

Despite the initial medium severity rating of 5.3 on the CVSS scale for each vulnerability, they can be combined to achieve remote code execution (RCE), elevating the overall severity to a critical 9.8 CVSS score. Vulnerability scanning service provider, watchTowr, published a multi-step proof of concept exploit for two of the vulnerabilities (CVE-2023-36845 and CVE-2023-36846) on August 25, demonstrating unauthenticated remote code execution by uploading specific files.

Just one of these vulnerabilities - CVE-2023-36845 can facilitate remote, unauthenticated code execution.

In response to this critical threat, VulnCheck released a free scanning tool to help identify firewalls vulnerable to CVE-2023-36845.