WARNING: CRITICAL PRE-AUTH RCE IN JUNOS SRX SERIES AND EX SERIES J-WEB, PATCH IMMEDIATELY!
CVE-2024-21591:CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
Juniper Security Bulletin - https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591?language=en_US
Risks
A vulnerability in the J-Web component of Junos OS SRX Series and EX Series allows an unauthenticated remote attacker to cause a Denial of Service (DoS) or Remote Code Execution (RCE) with root privileges on the device. This poses a significant threat to the Confidentiality, Integrity, and Availability (CIA) triad of information security. This vulnerability could lead to a complete device takeover. A compromised device could be used by attackers to pivot into your organization or exfiltrate sensitive data.
Description
CVE-2024-21591 is an Out-of-bounds Write vulnerability in J-Web used in Junos OS SRX Series and EX Series. Successful exploitation of an insecure function allows an attacker to overwrite arbitrary memory. Exploitation can result in a Denial of Service (DoS) or Remote Code Execution (RCE) with root privileges on the device.
To be vulnerable, at least one of the following configurations needs to be used on the device:
- [system services web-management http]
- [system services web-management https]
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Update Junos OS to one of the following versions (or newer): 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1.
Alternatively, a workaround is possible by disabling J-Web or limiting access to trusted hosts.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Mitre - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21591