CISA warns of actively exploited Juniper pre-auth RCE exploit chain

CISA warned federal agencies today to secure Juniper devices on their networks by Friday against four vulnerabilities now used in remote code execution (RCE) attacks as part of a pre-auth exploit chain.

The alert comes one week after Juniper updated its advisory to notify customers that the flaws found in Juniper's J-Web interface (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) have been successfully exploited in the wild.

"Juniper SIRT is now aware of successful exploitation of these vulnerabilities. Customers are urged to immediately upgrade," the company said.

The warnings come after the ShadowServer threat monitoring service revealed it was already detecting exploitation attempts on August 25th, one week after Juniper released security updates to patch the flaws and as soon as watchTowr Labs security researchers also released a proof-of-concept (PoC) exploit.

According to Shadowserver data, over 10,000 Juniper devices have their vulnerable J-Web interfaces exposed online, most from South Korea (Shodan sees more than 13,600 Intenet-exposed Juniper devices).

Administrators are urged to immediately secure their devices by upgrading JunOS to the most recent release or, as a minimum precaution, restrict Internet access to the J-Web interface to eliminate the attack vector.

"Given the simplicity of exploitation, and the privileged position that JunOS devices hold in a network, we would not be surprised to see large-scale exploitation," watchTowr Labs researchers said in August.

"Those running an affected device are urged to update to a patched version at their earliest opportunity, and/or to disable access to the J-Web interface if at all possible."

Feds ordered to patch by November 17

​Today, CISA also added the four actively exploited Juniper vulnerabilities to its Known Exploited Vulnerabilities Catalog, tagging them as "frequent attack vectors for malicious cyber actors" and posing "significant risks to the federal enterprise."

With their addition to CISA's KEV list, U.S. Federal Civilian Executive Branch Agencies (FCEB) now must secure Juniper devices on their networks within a limited timeframe, following a binding operational directive (BOD 22-01) issued one year ago.

After today's KEV catalog update, federal agencies must complete the upgrading of all Juniper devices within the next four days, by November 17th.

While BOD 22-01 primarily targets U.S. federal agencies, CISA strongly encourages all organizations, including private companies, to prioritize patching the vulnerabilities as soon as possible.

In June, CISA issued the first binding operational directive (BOD) of the year, instructing U.S. federal agencies to enhance the security of Internet-exposed or misconfigured networking equipment, such as Juniper's firewall and switch devices, within a two-week window following discovery.