Juniper Networks Comes Clean: Apologizes for Hidden Vulnerabilities After Security Flap

Buckle up for a wild ride in cybersecurity – Juniper Networks finally admits to hiding vulnerabilities after being busted by a researcher. Now with CVEs aplenty, they’re saying “Whoopsie-daisy!” and patching up. #JuniperOops

Hot Take:

Oops, they did it again! Juniper Networks turned the cybersecurity world into a suspense thriller, keeping us on the edge of our seats with the “will they, won’t they” saga of disclosing vulnerabilities. But don’t worry, in a dramatic twist, they’ve finally come clean, apologized for their communication boo-boo, and rolled out the red carpet for four shiny CVEs. Popcorn, anyone?

Key Points:

  • Juniper Networks, after some nudging, has disclosed four vulnerabilities that were previously swept under the server rack.
  • The vulnerabilities, including three with a 5.3 severity score and an 8.8-severity XSS flaw, have been assigned their very own CVEs. Cue spotlight: CVE-2024-21619, CVE-2023-36846, CVE-2024-21620, CVE-2023-36851.
  • These vulnerabilities could turn J-Web in Junos OS into a cybercriminal’s playground, so it’s patching time!
  • The US Cybersecurity and Infrastructure Security Agency (CISA) is the cool aunt who tells you to clean up your room, or in this case, update your systems.
  • Juniper’s patching policy might be more “strange” than a season of Stranger Things, raising eyebrows and questions alike.
Cve id: CVE-2024-21620
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2.

Cve id: CVE-2023-36851
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of integrity or confidentiality, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 21.2 versions prior to 21.2R3-S8; * 21.4 versions prior to 21.4R3-S6; * 22.1 versions prior to 22.1R3-S5; * 22.2 versions prior to 22.2R3-S3; * 22.3 versions prior to 22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S2, 23.2R2.

Cve id: CVE-2023-36846
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 09/26/2023
Cve description: A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

Cve id: CVE-2024-21619
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.

Need to know more?

Breaking News: Apologies Are in Fashion

Juniper Networks is sending out "Sorry for the confusion" emails like they're going out of style. It's not the new Spring collection they promised, but at least they're owning up to their communication faux pas. They've acknowledged changing their tune about the severity of the vulnerabilities after initially playing hard to get with the CVEs.

Delayed Patching: Fashionably Late or Just Late?

Imagine asking for extra time to perfect your grand entrance, only to trip on the red carpet. That's Juniper for you, asking researchers for a 90-day grace period before strutting their stuff, then somehow forgetting to spotlight the main stars—the vulnerabilities. But, like any good diva, they've now made a belated but glittering appearance.

Mystery of the Missing CVEs: A Plot Twist

Security researcher Aliz Hammond must have felt like a detective in a noir film, uncovering the mystery of why Juniper Networks didn't give each reported vulnerability its own CVE limelight. Juniper's explanation? A non-technical hiccup in their CVE application process. But fear not! They've reviewed their procedures, probably after realizing that cybersecurity isn't the same as a Netflix mystery where you can wait for the next episode to see what happens.

Juniper's Patch Schedule: Stranger Than Fiction

Juniper's patch release policy could be a Netflix original series with a cult following. They stick to a schedule that's as rigid as the 1980s TV Guide, only dropping fixes on the second Wednesday of the first month of every quarter. Because, you know, cyber threats totally adhere to our human concept of time and definitely won't exploit a vulnerability on a random Tuesday.

Waiting Game: The CVE Chronicles

In the end, Juniper Networks' tale had more twists than a pretzel factory. They planned to issue CVEs when the fixes were ready for all supported versions—because why not keep everyone in suspense? Despite the drama, let's give them a round of applause for finally stepping into the vulnerability spotlight. Curtain call!

Tags: CVE assignment, Juniper Networks, Junos OS, patch management, security advisory, Vulnerability Disclosure, XSS Flaw