CISA has ordered US federal agencies to patch five vulnerabilities used by attackers to compromise Juniper networking devices, and to do so by Friday.
Most of these bugs are not particularly severe by themselves, but they can be – and have been – chained together by attackers to achieve remote code execution on internet-facing vulnerable devices.
The exploited vulnerabilities
Juniper Networks fixed four flaws (numbered CVE-2023-36844 through CVE-2023-36847) affecting the J-Web GUI of Junos OS-powered devices in late August 2023, and urged customers to update their SRX firewalls and EX switches to plug the security holes.
Soon after, WatchTowr Labs researchers published related technical details and a PoC exploit combining the flaws and, very quickly, attackers began trying to exploit the vulnerabilities.
Then, in late September, external researchers published a new variant (CVE-2023-36851) of the SRX upload vulnerability (CVE-2023-36847), as well as an exploit for the code execution vulnerability (CVE-2023-36845) that works without a previous file upload, prompting Juniper to stress the importance of fixing “the ability to execute code”.
“Once this is prevented, the impact of the remaining issues is significantly reduced,” the company added.
The urgency has increased last week, as Juniper confirmed last Wednesday that its incident response team is “aware of successful exploitation of these vulnerabilities.”
The company did not share details about these attacks, but once again urged customers to upgrade their devices, disable their J-Web GUI, or limit access to them only to trusted hosts.
CISA says federal agencies must patch quickly
CISA has added the five vulnerability to the KEV catalog and mandated that US federal agencies patch them by November 17. That’s an unusually short deadline but – given that a PoC exploit has been public for months – not unreasonable.
The agency has also added the CVE-2023-47246, the SysAid Server path traversal vulnerability exploited by Cl0p affiliates, to the catalog on the same day. The deadline for fixing that one is a bit longer, though.
The KEV catalog is compiled for the benefit of US federal agencies, but other types of organizations should use it to prioritize vulnerabilities to patch, as well.