1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability

Known Exploited Vulnerabilities CVE-2023-36845 Mappings

A PHP External Variable Modification vulnerability in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker to remotely execute code. Using a crafted request which sets the variable PHPRC an attacker is able to modify the PHP execution environment allowing the injection und execution of code. This issue affects Juniper Networks Junos OS on EX Series and SRX Series: * All versions prior to 20.4R3-S9; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S7; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S4; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3-S1; * 22.4 versions prior to 22.4R2-S1, 22.4R3; * 23.2 versions prior to 23.2R1-S1, 23.2R2.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.
References
  1. https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/
  2. https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/
  3. https://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html
CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This vulnerability is exploited through a PHP External Variable Modification flaw in the J-Web interface of Juniper Networks Junos OS, affecting EX Series switches and SRX Series firewalls. Attackers leverage this vulnerability to gain initial access by crafting a request that sets the PHPRC variable, thereby altering the PHP execution environment. This manipulation enables the injection and execution of arbitrary code. By exploiting the auto_prepend_file and allow_url_include PHP features, attackers can include a base64 encoded PHP payload using the data:// wrapper. This method allows them to execute code within a confined FreeBSD jail environment, with the potential to escalate privileges by stealing authentication tokens from a user logged into the J-Web application, ultimately enabling unauthorized SSH access with elevated privileges.
References
  1. https://www.greenbone.net/en/blog/tracking-news-juniper-junos-vulnerabilities/
  2. https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-juniper-pre-auth-rce-exploit-chain/
  3. https://packetstormsecurity.com/files/174865/Juniper-SRX-Firewall-EX-Switch-Remote-Code-Execution.html