Juniper Networks Plugs High-Severity Gaps: Safeguard Your Systems Now!

Juniper Networks scrambles to patch its ‘whoopsie-daisy’ with updates faster than your last-minute tax filing. Say adios to pesky hackers exploiting flaws CVE-2024-21619 & CVE-2024-21620, and hello to cybersecurity peace of mind!

Hot Take:

Oh, the joy of updates! Just when you thought your network devices were as secure as Fort Knox, Juniper Networks bursts onto the scene with a fresh batch of “Oops, we did it again” patches for the SRX and EX series. If you’re not patching, you might as well leave your digital door open and bake cookies for the cybercriminals. Time to disrupt your IT department’s coffee break and get those systems patched before the hackers RSVP to the vulnerability party.

Key Points:

  • Juniper Networks released emergency updates for vulnerabilities that sound more like droid names from a galaxy far, far away: CVE-2024-21619 and CVE-2024-21620.
  • These glitches were found in the J-Web component, affecting all versions of Junos OS, which is like saying all the chocolate in the factory has gone bad (panic ensues).
  • CVE-2024-21619 could spill your sensitive config files like a toddler with juice, while CVE-2024-21620 could let hackers play puppet master with your permissions.
  • watchTowr Labs, probably donning capes and cool sunglasses, discovered these bugs and now we have a laundry list of versions that won’t get you pwned.
  • And for an extra sprinkle of urgency, CISA waved the red flag on two previously disclosed flaws, saying “pretty please” to patch since hackers are actively exploiting them.
Cve id: CVE-2024-21620
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2.

Cve id: CVE-2024-21619
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. An unauthenticated attacker can then attempt to access such a file by sending a specific request to the device trying to guess the name of such a file. Successful exploitation will reveal configuration information. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.

Cve id: CVE-2023-36851
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/25/2024
Cve description: A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to webauth_operation.php that doesn't require authentication, an attacker is able to upload and download arbitrary files via J-Web, leading to a loss of integrity or confidentiality, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * 21.2 versions prior to 21.2R3-S8; * 21.4 versions prior to 21.4R3-S6; * 22.1 versions prior to 22.1R3-S5; * 22.2 versions prior to 22.2R3-S3; * 22.3 versions prior to 22.3R3-S2; * 22.4 versions prior to 22,4R2-S2, 22.4R3; * 23.2 versions prior to 23.2R1-S2, 23.2R2.

Cve id: CVE-2023-36846
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 09/26/2023
Cve description: A Missing Authentication for Critical Function vulnerability in Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause limited impact to the file system integrity. With a specific request to user.php that doesn't require authentication an attacker is able to upload arbitrary files via J-Web, leading to a loss of integrity for a certain  part of the file system, which may allow chaining to other vulnerabilities. This issue affects Juniper Networks Junos OS on SRX Series: * All versions prior to 20.4R3-S8; * 21.1 versions 21.1R1 and later; * 21.2 versions prior to 21.2R3-S6; * 21.3 versions prior to 21.3R3-S5; * 21.4 versions prior to 21.4R3-S5; * 22.1 versions prior to 22.1R3-S3; * 22.2 versions prior to 22.2R3-S2; * 22.3 versions prior to 22.3R2-S2, 22.3R3; * 22.4 versions prior to 22.4R2-S1, 22.4R3.

Cve id: CVE-2024-21591
Cve state: PUBLISHED
Cve assigner short name: juniper
Cve date updated: 01/26/2024
Cve description: An Out-of-bounds Write vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS), or Remote Code Execution (RCE) and obtain root privileges on the device. This issue is caused by use of an insecure function allowing an attacker to overwrite arbitrary memory. This issue affects Juniper Networks Junos OS SRX Series and EX Series: * Junos OS versions earlier than 20.4R3-S9; * Junos OS 21.2 versions earlier than 21.2R3-S7; * Junos OS 21.3 versions earlier than 21.3R3-S5; * Junos OS 21.4 versions earlier than 21.4R3-S5; * Junos OS 22.1 versions earlier than 22.1R3-S4; * Junos OS 22.2 versions earlier than 22.2R3-S3; * Junos OS 22.3 versions earlier than 22.3R3-S2; * Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3.

Need to know more?

Patch Me If You Can

Our friends at Juniper Networks are back with a new mixtape of security patches hotter than your summer playlist. It's like a whack-a-mole game with high-severity flaws that keep popping up in their networking gear. This time, the SRX and EX series are taking center stage, and the vulnerabilities in question could basically hand over the keys to your kingdom if left unchecked. The moral of the story? If you don't update, you might as well start drafting your "Sorry for the security breach" press release.

The Dynamic Duo: CVE-2024-21619 & CVE-2024-21620

Let's talk about CVE-2024-21619 first—imagine if someone could peek into your diary without even asking. Not cool, right? Well, this vulnerability could let uninvited guests view your sensitive configuration info without breaking a sweat. Moving on to CVE-2024-21620, which is pretty much the digital equivalent of someone slipping a "Kick me" sign on your back, but replace the sign with arbitrary commands and the kick with a potential security disaster. Not exactly the kind of XSS-essories you'd want to flaunt.

The Patch Parade

The good folks at Juniper have rolled out a patchwork quilt of updates that could rival your grandma's craftsmanship. They've got a fix for every affected version, which is reassuring, unless you're the one tasked with applying all those updates. Then it's more of a "grab another coffee and cancel your weekend plans" scenario. The company also suggests some temporary duct tape solutions, like disabling J-Web or playing digital bouncer and only letting trusted hosts through the door.

Not So Fun Fact: CVEs on the KEV

Just to dial up the urgency a notch, CISA has tossed CVE-2023-36846 and CVE-2023-36851 into the KEV catalog, which is essentially the cybersecurity world's version of the "Most Wanted" list. These flaws are getting more action than a summer blockbuster, with evidence of active exploitation, which is code for "hackers love this one simple trick."

Don't Forget the Critical Curtain Call

Earlier this month, Juniper pulled a "hold my beer" and patched another critical issue (CVE-2024-21591) that was so severe it could've let attackers not just knock on your network's door but kick it down and throw a wild party inside. It's like the grand finale of a fireworks show—if each firework was a potential security breach waiting to explode spectacularly.

In conclusion, patch your stuff, people. And maybe send a fruit basket to watchTowr Labs for their vigilance. The cyber world is a wild west of vulnerabilities, and it's updates like these that keep your saloon doors swinging safely.

Tags: Critical Flaws, Cross-Site Scripting (XSS), CVE-2024-21619, CVE-2024-21620, J-Web vulnerabilities, Juniper Networks, security updates