www.belgium.be Logo of the federal government

WARNING: MULTIPLE VULNERABILITIES IN JUNOS OS J-WEB, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-241
Version: 
1.0
Affected software: 
All versions before 21.4R3-S8
from 22.1 before 22.1R3-S6
from 22.2 before 22.2R3-S4
from 22.3 before 22.3R3-S3
from 22.4 before 22.4R3-S2
from 23.2 before 23.2R2-S2
from 23.4 before 23.4R1-S2, 23.4R2
Type: 
Issues in PHP library
CVE/CVSS: 

CVE-2023-0567: CVSS 7.7 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVE-2023-0662: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-2023-3823: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE-2023-3824: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2023-0568: CVSS 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos-OS-J-Web-Multiple-vulnerabilities-resolved-in-PHP-software

Risks

A set of vulnerabilities affecting Junos OS's J-Web management interface has been discovered, posing significant risks to organizations that use this technology. The Junos OS, integral for managing Juniper network devices, includes PHP software identified with several security issues. These vulnerabilities could attract threat actors due to their potential to compromise systems.

Currently, no active exploitation is confirmed. However, a public Proof of Concept exploit code is available for some of these CVEs, increasing the likelihood of exploitation by threat actors.

These vulnerabilities could cause system crashes, expose sensitive data or even lead to remote code execution. The high CVSS scores associated with these vulnerabilities highlight the potential for severe impact. Organizations must update their software to mitigate these risks and ensure the continued security of their network infrastructure.

Description

CVE-2023-0567: PHP 8.x (High – CVSS 7.7)

This vulnerability affects the password_verify() function in PHP versions before 8.0.28, 8.1.16, and 8.2.3. It allows invalid Blowfish hashes to be accepted as valid, potentially leading to unauthorized access. If a malformed hash enters the password database, the application may mistakenly validate any password for the corresponding user, creating a serious security risk.

CVE-2023-0662: PHP 8.x (High – CVSS 7.5)

This issue arises from handling multipart form uploads in PHP, where an excessive number of parts can overload system resources. It allows an attacker to consume server CPU or disk space by sending many form parts, potentially resulting in a DoS attack. This can disrupt network device management through J-Web, making the system unavailable to administrators.

CVE-2023-3823: PHP 8.x (High – CVSS 7.5)

This vulnerability impacts XML parsing in PHP. This vulnerability can potentially expose local files that are accessible to PHP. Exploiting this vulnerability could result in unauthorized disclosure of sensitive configuration files, leading to further compromise of the system.

CVE-2023-3824: PHP 8.x (Critical – CVSS 9.8)

In PHP versions 8.0 before 8.0.30, 8.1 before 8.1.22, and 8.2 before 8.2.8, there is a problem when loading PHAR files. If the PHAR directory entries aren't properly checked for length, it can cause a stack buffer overflow, which might lead to memory corruption or even remote code execution (RCE).

CVE-2023-0568: PHP 8.x (Critical – CVSS 8.1)

This vulnerability occurs in the path resolution function, where an allocated buffer can be overwritten. This affects older versions of Junos OS (21.4R3-S7 and earlier) and could allow attackers to exploit this flaw for data leakage or manipulation, potentially compromising the integrity of system operations.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority.

Disable J-Web: If J-Web is not required for your operations, you can disable it by modifying the system settings under [system services web-management]. Doing so will reduce the attack surface for both current and potential future vulnerabilities.

Stay updated with Juniper's security advisories and best practices. Regularly review vendor patches and ensure compliance with recommended updates.

Monitor/Detect

The CCB recommends that organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-0567
https://nvd.nist.gov/vuln/detail/CVE-2023-0662
https://nvd.nist.gov/vuln/detail/CVE-2023-3823
https://nvd.nist.gov/vuln/detail/CVE-2023-3824
https://nvd.nist.gov/vuln/detail/CVE-2023-0568