Junos OS Vulnerabilities Exploit Detection: Hackers Leverage CVE-2023-36844 RCE Bug Chain Abusing Juniper Devices After PoC Release

Adversaries weaponize four newly discovered RCE security flaws in the J-Web component of Junos OS tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-3684. The identified vulnerabilities can be chained together, enabling attackers to execute arbitrary code on the compromised instances. After the disclosure of a PoC exploit for chaining the Juniper JunOS flaws, cyber defenders are raising awareness about the escalating instances of related exploitation attempts.

Detect CVE-2023-36844 RCE Chain Exploit

Having the proof-of-concept (PoC) exploit code for the CVE-2023-36844 RCE chain publicly available on the web, security professionals require curated detection content to proactively identify possible intrusions. SOC Prime Platform aggregates a relevant Sigma rule that helps to detect possible RCE chain exploitation attempts by an internal attacker.

Possible CVE-2023-36844 (Juniper PHP External Variable Modification) RCE Chain Exploitation Attempt (via proxy)

This rule is compatible with 18 SIEM, EDR, XDR, and Data Lake technology formats and mapped to MITRE ATT&CK framework addressing Initial Access tactics, with Exploit Public-Facing Application (T1190) as a corresponding technique.

To dive into the entire collection of Sigma rules detecting exploitation attempts of existing and emerging vulnerabilities, press the Explore Detections button below. Grab relevant detection algorithms and explore extensive metadata, including CTI and MITRE ATT&CK context. 

Explore Detections

Juniper RCE Bug Chain Attack Analysis

On August 19, 2023, Juniper Networks released a security notice warning defenders of the four newly uncovered flaws in the J-Web component of Junos OS that can lead to RCE if chained together. The detected issues affect all versions of Juniper EX switches and SRX firewalls, which requires immediate attention from cyber defenders following the recommendations provided in the security bulletin.  

All security bugs are considered critical, with the cumulative CVSS rating reaching 9.8, and can be grouped as follows:

• CVE-2023-36844 and CVE-2023-36845 are PHP External Variable Modification vulnerabilities enabling attackers to control significant environment variables
• CVE-2023-36846 and CVE-2023-36847 are missing authentications for critical function flaws that allow threat actors to impact the file system integrity upon successful exploitation attempts.

Although Juniper Networks claimed there was no evidence of in-the-wild attacks exploiting the bug chain, the situation took a turn just one week after watchTowr Labs released the PoC exploit, displaying the contrary. For instance, Shadowserver Foundation team identified a series of exploitation attempts from a set of IPs weaponizing CVE-2023-36844 and other bugs in the RCE chain and leveraging the above-referenced PoC exploit. To provide more insights into chaining and weaponizing these novel Juniper OS flaws, researchers also issued a technical deep-dive with an in-depth technical analysis of the exploitation process. 

According to the research by the Shadowserver team, hackers have already compromised over 8,000 Juniper instances, with most of the targets located in South Korea.

To mitigate the potential threat, defenders recommend immediately applying patches or upgrading to the latest JunOS version. Also, instantly disabling Internet access to the J-Web component can help reduce the attack surface. 

Rely on collective CTI and build your research on top of peer-driven expertise with Uncoder AI while saving time in your daily security operations and keeping a finger on the pulse of the ever-changing threat environment.