Jan 30, 2024NewsroomVulnerability / Network Security

Juniper Networks has released out-of-band updates to address high-severity flaws in SRX Series and EX Series that could be exploited by a threat actor to take control of susceptible systems.

The vulnerabilities, tracked as CVE-2024-21619 and CVE-2024-21620, are rooted in the J-Web component and impact all versions of Junos OS. Two other shortcomings, CVE-2023-36846 and CVE-2023-36851, were previously disclosed by the company in August 2023.

• CVE-2024-21619 (CVSS score: 5.3) – A missing authentication vulnerability that could lead to exposure of sensitive configuration information
• CVE-2024-21620 (CVSS score: 8.8) – A cross-site scripting (XSS) vulnerability that could lead to the execution of arbitrary commands with the target’s permissions by means of a specially crafted request

Cybersecurity firm watchTowr Labs has been credited with discovering and reporting the issues. The two vulnerabilities have been addressed in the following versions –

• CVE-2024-21619 – 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases
• CVE-2024-21620 – 20.4R3-S10, 21.2R3-S8, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3-S1, 23.2R2, 23.4R2, and all subsequent releases

As temporary mitigations until the fixes are deployed, the company is recommending that users disable J-Web or restrict access to only trusted hosts.

It’s worth noting that both CVE-2023-36846 and CVE-2023-36851 were added to the Known Exploited Vulnerabilities (KEV) catalog in November 2023 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), based on evidence of active exploitation.

Earlier this month, Juniper Networks also shipped fixes to contain a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the device.

Jan 13, 2024NewsroomVulnerability / Network Security

Juniper Networks has released updates to fix a critical remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches.

The issue, tracked as CVE-2024-21591, is rated 9.8 on the CVSS scoring system.

“An out-of-bounds write vulnerability in J-Web of Juniper Networks Junos OS SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS) or Remote Code Execution (RCE) and obtain root privileges on the device,” the company said in an advisory.

The networking equipment major, which is set to be acquired by Hewlett Packard Enterprise (HPE) for $14 billion, said the issue is caused by use of an insecure function allowing a bad actor to overwrite arbitrary memory.

The flaw impacts the following versions, and has been fixed in versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later –

• Junos OS versions earlier than 20.4R3-S9
• Junos OS 21.2 versions earlier than 21.2R3-S7
• Junos OS 21.3 versions earlier than 21.3R3-S5
• Junos OS 21.4 versions earlier than 21.4R3-S5
• Junos OS 22.1 versions earlier than 22.1R3-S4
• Junos OS 22.2 versions earlier than 22.2R3-S3
• Junos OS 22.3 versions earlier than 22.3R3-S2, and
• Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

As temporary workarounds until the fixes are deployed, the company recommends that users disable J-Web or restrict access to only trusted hosts.

Also resolved by Juniper Networks is a high-severity bug in Junos OS and Junos OS Evolved (CVE-2024-21611, CVSS score: 7.5) that could be weaponized by an unauthenticated, network-based attacker to cause a DoS condition.

While there is evidence that the vulnerabilities are being exploited in the wild, multiple security shortcomings affecting the company’s SRX firewalls and EX switches were abused by threat actors last year.