Skip to the content.

DIVD-2023-00035 - Remote Code Execution in Juniper Networks SRX- and EX-Series

Our reference DIVD-2023-00035
Case lead Alwin Warringa
Author Max van der Horst
Researcher(s)
CVE(s)
Products
  • Juniper Networks SRX-Series
  • Juniper Networks EX-Series
  • Junos OS
Versions
  • All versions before 20.4R3-S8
  • 21.2 versions prior to 21.2R3-S6
  • 21.3 versions prior to 21.3R3-S5
  • 21.4 versions prior to 21.4R3-S5
  • 22.1 versions prior to 22.1R3-S3
  • 22.2 versions prior to 22.2R3-S2
  • 22.3 versions prior to 22.3R2-S2, 22.3R3
  • 22.4 versions prior to 22.4R2-S1, 22.4R3.
Recommendation Upgrade by installing the issued patch as soon as possible.
Patch status patches available
Workaround Disable J-Web or limit access to trusted devices.
Status Open
Last modified 29 Nov 2023 11:58

Summary

Multiple vulnerabilities have been discovered in Juniper Networks SRX- and EX-Series. By chaining these vulnerabilities, an unauthenticated attacker can achieve Remote Command Execution (RCE) and compromise the underlying operating system. Juniper urges everyone to upgrade to the patched versions as soon as possible.

Recommendations

Juniper has released a patch for all affected versions and urges users to install it as soon as possible. If this is not an option, disable J-Web or limit access to trusted devices.

What we are doing

DIVD is scanning for vulnerable systems. Owners of such systems will receive a notification with this casefile and remediation steps.

Timeline

Date Description
29 Nov 2023 DIVD started notifying stakeholders
28 Nov 2023 DIVD identified vulnerable devices
11 Sep 2023 DIVD starts scanning for this vulnerability.
11 Sep 2023 First version of this casefile.
11 Sep 2023 DIVD starts researching fingerprint
gantt title DIVD-2023-00035 - Remote Code Execution in Juniper Networks SRX- and EX-Series dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2023-00035 - Remote Code Execution in Juniper Networks SRX- and EX-Series (still open) :2023-09-11, 2024-04-30 section Events DIVD started notifying stakeholders : milestone, 2023-11-29, 0d DIVD identified vulnerable devices : milestone, 2023-11-28, 0d DIVD starts scanning for this vulnerability. : milestone, 2023-09-11, 0d First version of this casefile. : milestone, 2023-09-11, 0d DIVD starts researching fingerprint : milestone, 2023-09-11, 0d

More information