Thousands of Juniper Networks devices vulnerable to critical RCE bug

More than 11,500 Juniper Networks devices are exposed to a new remote code execution (RCE) vulnerability, and infosec researchers are pressing admins to urgently apply the patches.

It's somewhat of a repeat scenario for Juniper Networks, which only recently got done patching the last round of critical RCE bugs in Junos OS, which runs on SRX firewalls and EX switches.

The latest vulnerability, tracked as CVE-2024-21591, impacts the software's J-Web configuration interface and carries a 9.8 CVSS severity score, the same as August's exploit, which a threat intel platform told us the vast majority of people didn't bother patching.

The data collated by Censys confirmed the number of exposures, and scans revealed that most exposed devices also displayed their model numbers. The SRX110H2-VA firewall was by far the most exposed – a device that went end of life (EOL) in 2018.

South Korea had the greatest number of exposed J-Web interfaces with 3,797 and the US followed with 1,326. Third-placed Hong Kong had fewer than half the US's exposures with 583, and China, in fourth place, had 455 as of January 11.

As for the nuts and bolts of the issue, an attacker can exploit the out-of-bounds write flaw to achieve various end goals including obtaining root privileges, causing denial of service, or RCE – all without the need for authentication.

Out-of-bounds write vulnerabilities are the number-one culprit for security issues, according to MITRE, and are part of the collection of bugs that the industry is trying to stamp out with a shift to memory-safe languages including Rust.

Juniper Networks said its incident response team hasn't spotted any signs of it being exploited in the wild yet, but that can all change in the days following vulnerability disclosures – especially when EOL equipment is involved.

The following software is vulnerable and patches should be applied as soon as possible:

• Junos OS versions earlier than 20.4R3-S9

• Junos OS 21.2 versions earlier than 21.2R3-S7

• Junos OS 21.3 versions earlier than 21.3R3-S5

• Junos OS 21.4 versions earlier than 21.4R3-S5

• Junos OS 22.1 versions earlier than 22.1R3-S4

• Junos OS 22.2 versions earlier than 22.2R3-S3

• Junos OS 22.3 versions earlier than 22.3R3-S2

• Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

For those unable to apply patches quickly, the suggested workaround is to "disable J-Web, or limit access to only trusted hosts," Juniper Networks' advisory read.

• Exploit for under-siege SharePoint vuln reportedly in hands of ransomware crew
• New year, new updates for security holes in Windows, Adobe, Android and more
• Apache OFBiz zero-day pummeled by exploit attempts after disclosure
• Four in five Apache Struts 2 downloads are for versions featuring critical flaw

The disclosure comes months after the US Cybersecurity and Infrastructure Security (CISA) issued a binding operational directive (23-02) highlighting the dangers of exposing management interfaces to the public web.

Federal agencies are required to either stop exposing interfaces to the public internet or ensure they're protected with zero-trust-aligned capabilities, with CISA preferring the latter. Regular orgs should probably do the same, after applying the patches, that is.

In other news, Juniper Networks may soon be part of HPE in a move that will effectively double the enterprise IT giant's networking segment business.

HPE officially announced its intent to buy Juniper lastg week in a deal that could cost around $14 billion – the company's largest acquisition in quite some time. 

The most recent deal of this scale was in 2011 for Autonomy, and we all remember that notorious debacle. ®