Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.0575 2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed 29 January 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Junos OS Publisher: Juniper Networks Operating System: Juniper Resolution: Patch/Upgrade CVE Names: CVE-2024-21620 CVE-2024-21619 CVE-2023-36851 CVE-2023-36846 Original Bulletin: https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed Comment: CVSS (Max): 8.8 CVE-2024-21620 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Juniper Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Article ID: JSA76390 Product Affected: These issues affect all versions of Junos OS on SRX Series and EX Series. Severity Level: High CVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Problem: Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. These issues affect all versions of Juniper Networks Junos OS on SRX Series and EX Series. As each issue is fixed in different versions of Junos, please check the solution section and note that any earlier versions, and versions not mentioned to be fixed are affected. These issues were discovered during external security research. The following minimal configuration must be present on the device: [system services web-management http] or [system services web-management https] The specific issues reported and resolved are listed below: ??????????????????????????????????????????????????????????????????????????????? ? CVE | CVSS | Summary ? ?--------------+-----------+--------------------------------------------------? ? | |A Missing Authentication for Critical Function ? ? | |vulnerability combined with a Generation of Error ? ? | |Message Containing Sensitive Information ? ? | |vulnerability in J-Web of Juniper Networks Junos ? ? |5.3 |OS on SRX Series and EX Series allows an ? ? |(CVSS:3.1/ |unauthenticated, network-based attacker to access ? ?CVE-2024-21619|AV:N/AC:H/ |sensitive system information. When a user logs in,? ? |PR:N/UI:R/ |a temporary file which contains the configuration ? ? |S:U/C:H/I:N|of the device (as visible to that user) is created? ? |/A:N) |in the /cache folder. An unauthenticated attacker ? ? | |can then attempt to access such a file by sending ? ? | |a specific request to the device trying to guess ? ? | |the name of such a file. Successful exploitation ? ? | |will reveal configuration information. ? ?--------------+-----------+--------------------------------------------------? ? | |A Missing Authentication for Critical Function ? ? |5.3 |vulnerability in Juniper Networks Junos OS on SRX ? ? |(CVSS:3.1/ |Series allows an unauthenticated, network-based ? ? |AV:N/AC:L/ |attacker to cause limited impact to the file ? ?CVE-2023-36846|PR:N/UI:N/ |system integrity. With a specific request to ? ? |S:U/C:N/I:L|user.php that doesn't require authentication an ? ? |/A:N) |attacker is able to upload arbitrary files via ? ? | |J-Web, leading to a loss of integrity for a ? ? | |certain part of the file system. ? ?--------------+-----------+--------------------------------------------------? ? | |An Improper Neutralization of Input During Web ? ? | |Page Generation ('Cross-site Scripting') ? ? |8.8 |vulnerability in J-Web of Juniper Networks Junos ? ? |(CVSS:3.1/ |OS on SRX Series and EX Series allows an attacker ? ?CVE-2024-21620|AV:N/AC:L/ |to construct a URL that when visited by another ? ? |PR:N/UI:R/ |user enables the attacker to execute commands with? ? |S:U/C:H/I:H|the target's permissions, including an ? ? |/A:H) |administrator. A specific invocation of the ? ? | |emit_debug_note method in webauth_operation.php ? ? | |will echo back the data it receives. ? ?--------------+-----------+--------------------------------------------------? ? | |A Missing Authentication for Critical Function ? ? | |vulnerability in Juniper Networks Junos OS on SRX ? ? |5.3 |Series and EX Series allows an unauthenticated, ? ? |(CVSS:3.1/ |network-based attacker to cause limited impact to ? ?CVE-2023-36851|AV:N/AC:L/ |the file system integrity. With a specific request? ? |PR:N/UI:N/ |to webauth_operation.php that doesn't require ? ? |S:U/C:N/I:L|authentication, an attacker is able to upload and ? ? |/A:N) |download arbitrary files, leading to a loss of ? ? | |integrity or confidentiality, which may allow ? ? | |chaining to other vulnerabilities. ? ??????????????????????????????????????????????????????????????????????????????? Solution: The following Junos OS software releases have been updated: CVE-2024-21620: 20.4R3-S10*, 21.2R3-S8*, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3-S1*, 23.2R2*, 23.4R2*, and all subsequent releases. (* Pending Publication) CVE-2024-21619: 20.4R3-S9, 21.2R3-S7*, 21.3R3-S5, 21.4R3-S6*, 22.1R3-S5*, 22.2R3-S3*, 22.3R3-S2*, 22.4R3*, 23.2R1-S2, 23.2R2*, 23.4R1, and all subsequent releases. (* Pending Publication) These issues are being tracked as 1779376 and 1763260 . Note: Juniper SIRT's policy is not to evaluate releases which are beyond End of Engineering (EOE) or End of Life (EOL). Workaround: Disable J-Web, or limit access to only trusted hosts. Modification History: 2024-01-25: Initial publication Related Information: o KB16613: Overview of the Juniper Networks SIRT Quarterly Security Bulletin Publication Process o KB16765: In which releases are vulnerabilities fixed? o KB16446: Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories o Report a Security Vulnerability - How to Contact the Juniper Networks Security Incident Response Team o JSA72300 o https://www.cve.org/CVERecord?id=CVE-2024-21619 o https://www.cve.org/CVERecord?id=CVE-2024-21620 Acknowledgements The Juniper SIRT would like to acknowledge and thank watchtowr for responsibly reporting the vulnerabilities CVE-2024-21619 and CVE-2024-21620. They also reported two additional vulnerabilities that had been addressed in JSA72300. Last Updated: 2024-01-25 Created: 2024-01-25 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZbc5RckNZI30y1K9AQhcEQ/9E3t4IEbHyA/gSjLDBp/jTHOw63KCGaAV NsxbEg2fb6A8t3qnZ+CqxCONFL3UX6dy8r5kWvbWzymKhiS1Uj4wZUD9oo+vus76 tPDHuTnzMx+X3heAxWidaWBtcr85B3vqsP2Sjql9u5sEjjZNdeD2e9xuBi7gGu96 0sZNd4tWFidoeubEiJDbmiSNwsyGxEYFi806YeDpZdNqGJh9ohbOyUbNfHkWpDoo rDj2K2yAVOZq7W73RPU6hyPB9Enl6ZhjMhdkakGdhMXrRwUS6VrSAdbQw8rNYFh0 r71WimKF/NqzoCnG8sSOz4DG2HD9+lVesUNyJsHTT/mfdNeF2pQVGSbMdEvlP26O D2Un8q1soF3w7xdNNt2iWwmG58ixp5i7/6a+Wk6d+UigBDwLYmDGTwUchdHe/J8Q 6SMeUwcaVksg6CfLB169r78L+ZovOsyc5pxWwMIGqIPbFhVXckE3c0ETVGPkwZLy ToAhVHqfAFm7/JMongTho0G3mgo0ymA1YSiYgy78XUtfEE4F9upWshMAFOtxtJZc DWmfcTgrs5hcbLHM1vvtY8mI1teQt2Azjk4k7GPvrdFgqyx17jOGjadv+7FLBWl5 oyXjRxaTZ7Z7SKJqnBufsF3LIt2RTw8QMurayIHybM3As3w1bvdL0Dq415euj8kU VDVcOrKkspo= =DVa4 -----END PGP SIGNATURE-----