 |
| Hackers exploit Juniper RCE's critical bug chain after PoC release |
Hackers use a hard and fast of essential exploits to target Juniper EX switches and SRX firewalls via the web-hosted J-Web configuration interface. A hit take advantage of lets in unauthenticated attackers to remotely execute code on unpatched devices.
"For a given request that doesn't require authentication, an attacker could download arbitrary files via J-Web, causing a certain part of the file system to lose its integrity, which could allow a link to "other vulnerabilities," Juniper says. .
A week after Juniper announced and released security updates to address four vulnerabilities potentially related to remote code execution, protection researchers at WatchTowr Labs have launched a proof-of-concept (PoC) make the most targeting SRX Firewall bugs (tracked as CVE-2023- 36846 and CVE-2023-36845).
Juniper said there was no evidence of active use of the software, while watchTowr Labs believed the attackers would soon find a wide range of unpatched Juniper devices would release.
"Given the ease of use and the privileged position that JunOS devices hold in the network, we wouldn't be surprised if they were deployed on a large scale," the researchers warned. As expected, safety researchers from the non-earnings net safety employer Shadowserver Foundation announced today that they have discovered an attempted misuse of funds that began on the same day. watchTowr Labs» PoC exploit released. Since August 25, we've visible tries to take advantage of more than one IP addresses for Juniper J-Web CVE-2023-36844 (and friends) pointing to the /webauth_operative. Shadowserver Foundation tweeted Tuesday .
"A POC exploit was released on the same day. This consists of combining lower-severity CVEs to get RCE earlier than authentication. Piotr Kijewski, CEO of
Shadowserver, showed to BleepingComputer that the attackers are the usage of exploits constructed with watchTowr Labs #039; PoC for inspiration.It appears that the make the most tries are primarily based totally in this POC make the most, with a few variations, which attempts to down load a PHP report after which execute it. So I think we can count on webshells,” said Kijewski.Based on our honeypot observations, I might say that every one Juniper times with uncovered J-Web have already been attacked.Currently, 29 IP addresses are attempting these attacks, […] likely more malicious actors.
According to Shadowserver data, currently more than 8,200 Juniper devices have exposed J-Web interfaces on the Internet, mostly from South Korea (Shodan shows more than 10,000 devices exposed on the Internet).
Administrators are advised to patch or update JunOS to the latest version immediately, Or at least disable Internet get admission to the J-Web interface to eliminate the assault vector.
إرسال تعليق