Reg story prompts fresh security bulletin, review of Juniper Networks' CVE process

Juniper Networks has disclosed separate vulnerabilities it was previously accused of concealing, and apologized to customers for the error in communication.

The update, which happened late last week, comes hot on the heels of reporting from El Reg that highlighted how multiple security vendors were accused of bending the rules when it came to assigning CVEs for vulnerabilities in their products.

The four vulnerabilities reported to Juniper Networks by watchTowr researcher Aliz Hammond, which were later found to be missing individual CVEs, have now each been disclosed separately, per an out-of-cycle security advisory.

Despite submitting four vulnerability reports in total, Juniper credited watchTowr with the discovery of just two. The two other CVEs were apparently fixed in the original batch of updates – watchTowr is thought to have just rediscovered them – but they each now have their own distinct CVE.

The advisory details three separate missing authentication vulnerabilities, each carrying a 5.3 severity score, and an 8.8-severity cross-site scripting (XSS) flaw that could lead to code execution with admin privileges if exploited.

The newly disclosed issues affect J-Web in Junos OS SRX Series and EX Series, and are tracked as:

• CVE-2024-21619

• CVE-2023-36846

• CVE-2024-21620

• CVE-2023-36851

"Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability," the advisory reads.

"These issues affect all versions of Juniper Networks Junos OS on SRX Series and EX Series. As each issue is fixed in different versions of Junos, please check the solution section and note that any earlier versions, and versions not mentioned to be fixed are affected."

• Tesla hacks make big bank at Pwn2Own's first automotive-focused event
• Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug
• Atlassian Confluence Server RCE attacks underway from 600+ IPs
• Ivanti and Juniper Networks accused of bending the rules with CVE assignments

On Monday, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning of the XSS vulnerability, saying: "CISA encourages users and administrators to review the Juniper bulletin and apply the necessary updates."

Juniper has apologized to customers via email and explained that the company had changed its assessment of the vulnerabilities reported by the researchers, according to a paywalled bulletin seen by watchTowr.

Hammond originally approached the vendor in 2023 to disclose the four vulnerabilities, and Juniper responded by requesting a delay to watchTowr's typical 90-day reporting window.

It sought additional time to develop and release fixes for the flaws, and allow customers to apply them before they were publicly disclosed – not unheard of for this type of thing.

Yet when Juniper's latest patches dropped on January 11, Hammond's vulnerabilities weren't assigned individual CVEs. Hammond also reported confusion about why the vendor didn't issue an out-of-cycle patch despite deeming the issues serious enough to warrant a delay to the disclosure process.

Juniper's patch schedule is structured to release fixes on the second Wednesday of the first month of every quarter, a policy Hammond previously described as "strange" given the urgency with which security updates should ideally be applied.

It does raise questions about Juniper's approach to fixing vulnerabilities, given that the longer vulnerabilities are left unaddressed, the wider the potential window available to attackers to exploit them.

Missing authentication vulnerabilities are among the easiest to exploit so it's intriguing as to why Juniper didn't think to register each of the three that are now disclosed with CVEs in the first place.

Juniper offered an explanation in its updated customer-facing bulletin, according to watchTowr, saying that due to non-technical reasons it typically applies for CVEs towards the end of the disclosure process.

The vendor has since reviewed this process, adding that it originally intended to register CVEs for the four now-disclosed vulnerabilities when fixes were available for all supported versions. It still hasn't responded to our requests for comment, though. ®