Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.0575
2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series:
Multiple vulnerabilities in J-Web have been addressed
29 January 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Junos OS
Publisher: Juniper Networks
Operating System: Juniper
Resolution: Patch/Upgrade
CVE Names: CVE-2024-21620 CVE-2024-21619 CVE-2023-36851
CVE-2023-36846
Original Bulletin:
https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed
Comment: CVSS (Max): 8.8 CVE-2024-21620 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVSS Source: Juniper Networks
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Article ID: JSA76390
Product Affected: These issues affect all versions of Junos OS on SRX Series
and EX Series.
Severity Level: High
CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Problem:
Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on
SRX Series and EX Series have been resolved through the application of specific
fixes to address each vulnerability.
These issues affect all versions of Juniper Networks Junos OS on SRX Series and
EX Series. As each issue is fixed in different versions of Junos, please check
the solution section and note that any earlier versions, and versions not
mentioned to be fixed are affected.
These issues were discovered during external security research.
The following minimal configuration must be present on the device:
[system services web-management http]
or
[system services web-management https]
The specific issues reported and resolved are listed below:
???????????????????????????????????????????????????????????????????????????????
? CVE | CVSS | Summary ?
?--------------+-----------+--------------------------------------------------?
? | |A Missing Authentication for Critical Function ?
? | |vulnerability combined with a Generation of Error ?
? | |Message Containing Sensitive Information ?
? | |vulnerability in J-Web of Juniper Networks Junos ?
? |5.3 |OS on SRX Series and EX Series allows an ?
? |(CVSS:3.1/ |unauthenticated, network-based attacker to access ?
?CVE-2024-21619|AV:N/AC:H/ |sensitive system information. When a user logs in,?
? |PR:N/UI:R/ |a temporary file which contains the configuration ?
? |S:U/C:H/I:N|of the device (as visible to that user) is created?
? |/A:N) |in the /cache folder. An unauthenticated attacker ?
? | |can then attempt to access such a file by sending ?
? | |a specific request to the device trying to guess ?
? | |the name of such a file. Successful exploitation ?
? | |will reveal configuration information. ?
?--------------+-----------+--------------------------------------------------?
? | |A Missing Authentication for Critical Function ?
? |5.3 |vulnerability in Juniper Networks Junos OS on SRX ?
? |(CVSS:3.1/ |Series allows an unauthenticated, network-based ?
? |AV:N/AC:L/ |attacker to cause limited impact to the file ?
?CVE-2023-36846|PR:N/UI:N/ |system integrity. With a specific request to ?
? |S:U/C:N/I:L|user.php that doesn't require authentication an ?
? |/A:N) |attacker is able to upload arbitrary files via ?
? | |J-Web, leading to a loss of integrity for a ?
? | |certain part of the file system. ?
?--------------+-----------+--------------------------------------------------?
? | |An Improper Neutralization of Input During Web ?
? | |Page Generation ('Cross-site Scripting') ?
? |8.8 |vulnerability in J-Web of Juniper Networks Junos ?
? |(CVSS:3.1/ |OS on SRX Series and EX Series allows an attacker ?
?CVE-2024-21620|AV:N/AC:L/ |to construct a URL that when visited by another ?
? |PR:N/UI:R/ |user enables the attacker to execute commands with?
? |S:U/C:H/I:H|the target's permissions, including an ?
? |/A:H) |administrator. A specific invocation of the ?
? | |emit_debug_note method in webauth_operation.php ?
? | |will echo back the data it receives. ?
?--------------+-----------+--------------------------------------------------?
? | |A Missing Authentication for Critical Function ?
? | |vulnerability in Juniper Networks Junos OS on SRX ?
? |5.3 |Series and EX Series allows an unauthenticated, ?
? |(CVSS:3.1/ |network-based attacker to cause limited impact to ?
?CVE-2023-36851|AV:N/AC:L/ |the file system integrity. With a specific request?
? |PR:N/UI:N/ |to webauth_operation.php that doesn't require ?
? |S:U/C:N/I:L|authentication, an attacker is able to upload and ?
? |/A:N) |download arbitrary files, leading to a loss of ?
? | |integrity or confidentiality, which may allow ?
? | |chaining to other vulnerabilities. ?
???????????????????????????????????????????????????????????????????????????????
Solution:
The following Junos OS software releases have been updated:
CVE-2024-21620: 20.4R3-S10*, 21.2R3-S8*, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*,
22.3R3-S2*, 22.4R3-S1*, 23.2R2*, 23.4R2*, and all subsequent releases. (*
Pending Publication)
CVE-2024-21619: 20.4R3-S9, 21.2R3-S7*, 21.3R3-S5, 21.4R3-S6*, 22.1R3-S5*,
22.2R3-S3*, 22.3R3-S2*, 22.4R3*, 23.2R1-S2, 23.2R2*, 23.4R1, and all subsequent
releases. (* Pending Publication)
These issues are being tracked as 1779376 and 1763260 .
Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of
Engineering (EOE) or End of Life (EOL).
Workaround:
Disable J-Web, or limit access to only trusted hosts.
Modification History:
2024-01-25: Initial publication
Related Information:
o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin
Publication Process
o KB16765: In which releases are vulnerabilities fixed?
o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security
Advisories
o Report a Security Vulnerability - How to Contact the Juniper Networks
Security Incident Response Team
o JSA72300
o https://www.cve.org/CVERecord?id=CVE-2024-21619
o https://www.cve.org/CVERecord?id=CVE-2024-21620
Acknowledgements
The Juniper SIRT would like to acknowledge and thank watchtowr for responsibly
reporting the vulnerabilities CVE-2024-21619 and CVE-2024-21620. They also
reported two additional vulnerabilities that had been addressed in JSA72300.
Last Updated: 2024-01-25
Created: 2024-01-25
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZbc5RckNZI30y1K9AQhcEQ/9E3t4IEbHyA/gSjLDBp/jTHOw63KCGaAV
NsxbEg2fb6A8t3qnZ+CqxCONFL3UX6dy8r5kWvbWzymKhiS1Uj4wZUD9oo+vus76
tPDHuTnzMx+X3heAxWidaWBtcr85B3vqsP2Sjql9u5sEjjZNdeD2e9xuBi7gGu96
0sZNd4tWFidoeubEiJDbmiSNwsyGxEYFi806YeDpZdNqGJh9ohbOyUbNfHkWpDoo
rDj2K2yAVOZq7W73RPU6hyPB9Enl6ZhjMhdkakGdhMXrRwUS6VrSAdbQw8rNYFh0
r71WimKF/NqzoCnG8sSOz4DG2HD9+lVesUNyJsHTT/mfdNeF2pQVGSbMdEvlP26O
D2Un8q1soF3w7xdNNt2iWwmG58ixp5i7/6a+Wk6d+UigBDwLYmDGTwUchdHe/J8Q
6SMeUwcaVksg6CfLB169r78L+ZovOsyc5pxWwMIGqIPbFhVXckE3c0ETVGPkwZLy
ToAhVHqfAFm7/JMongTho0G3mgo0ymA1YSiYgy78XUtfEE4F9upWshMAFOtxtJZc
DWmfcTgrs5hcbLHM1vvtY8mI1teQt2Azjk4k7GPvrdFgqyx17jOGjadv+7FLBWl5
oyXjRxaTZ7Z7SKJqnBufsF3LIt2RTw8QMurayIHybM3As3w1bvdL0Dq415euj8kU
VDVcOrKkspo=
=DVa4
-----END PGP SIGNATURE-----