Juniper Networks has released security updates to fix a critical pre-auth remote code execution (RCE) vulnerability in its SRX Series firewalls and EX Series switches.
Found in the devices’ J-Web configuration interfaces and tracked as CVE-2024-21591, this critical security flaw can also be exploited by unauthenticated threat actors to get root privileges or launch denial-of-service (DoS) attacks against unpatched devices.
“This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory,” the company explained in a security advisory published Wednesday.
Juniper added that its Security Incident Response Team has no evidence that the vulnerability is being exploited in the wild.
The complete list of vulnerable Junos OS versions affected by the SRX Series and EX Series J-Web bug includes:
- Junos OS versions earlier than 20.4R3-S9
- Junos OS 21.2 versions earlier than 21.2R3-S7
- Junos OS 21.3 versions earlier than 21.3R3-S5
- Junos OS 21.4 versions earlier than 21.4R3-S5
- Junos OS 22.1 versions earlier than 22.1R3-S4
- Junos OS 22.2 versions earlier than 22.2R3-S3
- Junos OS 22.3 versions earlier than 22.3R3-S2
- Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
The bug has been addressed in Junos OS 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and all subsequent releases.
Admins are advised to immediately apply the security updates or upgrade JunOS to the latest release or, at least, disable the J-Web interface to remove the attack vector.
Another temporary workaround is to restrict J-Web access to only trusted network hosts until patches are deployed.
According to data from nonprofit internet security organization Shadowserver, more than 8,200 Juniper devices have their J-Web interfaces exposed online, most from South Korea (Shodan also tracks over 9,000).
​CISA also warned in November of a Juniper pre-auth RCE exploit used in the wild, chaining four bugs tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847 and impacted the company’s SRX firewalls and EX switches.
The alert came months after ShadowServer detected the first exploitation attempts on August 25, one week after Juniper released patches and as soon as watchTowr Labs released a proof-of-concept (PoC) exploit.
In September, vulnerability intelligence firm VulnCheck found thousands of Juniper devices still vulnerable to attacks using this exploit chain.
CISA added the four bugs to its Known Exploited Vulnerabilities Catalog on November 17, tagging them as “frequent attack vectors for malicious cyber actors” with “significant risks to the federal enterprise.”
The U.S. cybersecurity agency issued the first binding operational directive (BOD) of the year last June, requiring federal agencies to secure their Internet-exposed or misconfigured networking equipment (such as Juniper firewalls and switches) within a two-week window following discovery.