In the latest security bulletin, Juniper Networks announced the release of fixes for a selection of vulnerabilities in their Junos OS. Among the fixed flaws is a high-severity one that got the CVSS score of 8.8. However, the fix is currently available only for this and another, less severe vulnerability.
Junos OS Vulnerabilities Allow for Data Leaks and XSS
The most recent “out-of-cycle” bulletin released by Juniper Networks notifies about 4 critical vulnerabilities in different editions of their Junos OS. SRX and EX Series of their network operating system are susceptible to the attacks that can lead to user data leak, upload and download of arbitrary files and even cross-site scripting. The latter – CVE-2024-21620 – is considered a high-severity flaw, gaining CVSS score of 8.8. As the description says, with a specifically crafted URL that is sent to the target user the attackers gain the ability to execute the commands with the privileges of the target – up to administrator level.
| Vulnerability | CVSS Score | Description |
|---|---|---|
| CVE-2024-21620 | 8.8 | XSS attack w/privileges hijack through a specifically crafted URL |
| CVE-2024-21619 | 5.3 | User system configuration leak upon login |
| CVE-2023-36851 | 5.3 | Arbitrary file download/upload through a specific request |
| CVE-2023-36846 | 5.3 | Arbitrary file upload through a specific request |
Other flaws, however, are not things you can ignore as well. Despite all 3 having the severity score of only 5.3, they allow the attacker to have limited, though sensible impact on the environment. CVE-2024-21619, makes it possible to leak the user machine configuration when the one connects to the vulnerable network.
CVE-2023-36846 and CVE-2023-36851 are similar to each other, as their successful exploitation allows for arbitrary files download and upload. Despite providing only limited access to the files and requiring a rather deep access to the system, both are rather easy to exploit, as they do not require any authentication. This allows these flaws to be the basis for chain exploitation together with other vulnerabilities. Such a trick is a rather widespread approach in the lateral movement stage of cyberattacks.
Juniper Networks Fixes J-Web Vulnerabilities
Fortunately for numerous users of Junos OS, there are fixes available for all the vulnerabilities present in the list. The latest releases of Junos OS fixes only the CVE-2024… vulnerabilities. The ones marked as ones from the past year – CVE-2023-36846 and CVE-2023-36851 – were fixed in earlier releases. Below you can see the table of versions that have the vulnerabilities fixed.
| Vulnerability | Safe Junos OS version |
|---|---|
| CVE-2024-21620 | 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2 |
| CVE-2024-21619 | 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1 |
| CVE-2023-36851 | 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22,4R2-S2, 22.4R3, 23.2R1-S2, 23.2R2 |
| CVE-2023-36846 | 21.1R1, 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S3, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R2-S1, 22.4R3 |
At the moment when the bulletin was published, not all the mentioned patches were available. In fact, among ones that fix the CVE-2024 vulnerabilities, there is only one – 20.4R3-S9, that patches the CVE-2024-21619 – was available. All others are pending publication, which is what to be expected when it comes to such a wide number of versions to be covered.
Aside from the patches, the developer also offers a couple of workarounds. Clients are advised to either disable the J-Web interface entirely, or at least limit the access to it from untrusted places. Well, as it usually happens to workarounds, it is helpful, though rather limiting and inconvenient.
