Juniper router, switches and firewalls zero day remote code execution vulnerability

Web application penetration testing specialists have revealed a vulnerability in the Juniper Junos operating system that could be exploited by threat actors to trigger remote code execution, bypass security restrictions, and expose sensitive information from the target system.

The vulnerability is present in the following versions of Junos OS: 12.3, 12.3X48, 14.1X53, 15.1, 15.1X49, 17.2, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4 and 20.1

Exploiting this vulnerability, a malicious hacker could inject commands into httpd.log, read files with readable file permission ‘world’ and even get J-Web session tokens.

In the case of command injection, because the HTTP service runs as a ‘nobody’ user, the impact of this command injection is limited, web application penetration testing specialists mention. The report notes that the vulnerability received a score of 5.3/10 on the Common Vulnerability Scoring System (CVSS) scale.

With regard to reading files with ‘world’ read permission, in Junos OS 19.3R1 and later, unauthenticated threat actors could access the configuration file by exploiting the vulnerability. This security flaw received a score of 5.9/10 on the CVSS scale.

In addition, if J-Web is enabled, the attacker could gain the same level of access from anyone who is actively logged in. If a target administrator logs in, the threat actor might gain administrator access to J-Web. This failure received a score of 8.8/10 on the CVSS scale, so it is considered a serious error. Note that this issue only affects Junos OS devices with HTTP/HTTPS services enabled.

In short, web application penetration testing experts mention:

  • If HTTP/HTTPS services are disabled, the impact of this failure is minimal
  • If HTTP/HTTPS services are enabled and J-Web is not in use, this vulnerability has a CVSS score of 5.9
  • If J-Web is enabled, this vulnerability has a CVSS score of 8.8

So far it is only known from one case of exploitation of this vulnerability in the wild. As a precaution, Juniper will notify customers so they can take appropriate action. The Juniper Security Incident Response Team (SIRT) recognized the vulnerabilities shortly after receiving the report and immediately began working on its correction.  

There are currently no workarounds to mitigate the risk of exploitation, so administrators of exposed deployments are encouraged to upgrade to the latest versions as soon as possible.

For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.