Background
Juniper Networks SRX Series firewalls and EX Series switches are enterprise networking gear used in data centres, campus networks, and service provider environments. The J-Web management interface allows administrators to configure and monitor these devices through a browser. It’s often exposed on management interfaces that may be reachable from untrusted networks.
CVE-2023-36844 is part of a four-bug chain (along with CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) disclosed by watchTowr Labs researchers in August 2023. Individually the bugs are low/medium severity. Together they achieve unauthenticated pre-auth RCE. Juniper’s initial CVSS scoring underplayed the combined risk, and after researchers published PoC code exploitation began quickly.
Technical Mechanism
The chain works as follows:
-
CVE-2023-36846 / CVE-2023-36847 — Unauthenticated file upload to J-Web. Certain PHP file upload endpoints don’t require authentication and accept arbitrary files. Attackers upload a malicious PHP file to a temporary location on the device.
-
CVE-2023-36844 / CVE-2023-36845 — PHP environment variable injection in J-Web. The
PHPRCenvironment variable controls where PHP looks for its configuration file (php.ini). By manipulating thePHPRCenvironment variable through a vulnerable request parameter, an attacker can point PHP to an attacker-controlledphp.inifile — specifically the one uploaded in step 1. -
The malicious
php.inisetsauto_prepend_fileto the attacker’s uploaded PHP payload, which is then executed when any subsequent PHP page is loaded.
End result: unauthenticated PHP code execution on the device, which runs as a privileged system process under Juniper’s JunOS.
The watchTowr Labs disclosure was particularly detailed and included a working proof-of-concept, which accelerated exploitation timeline significantly.
Real-World Exploitation Evidence
Within a week of the watchTowr disclosure in August 2023:
- Mass scanning — Shadowserver and multiple security firms observed widespread scanning for J-Web management interfaces
- Active exploitation — CISA confirmed active exploitation and added to the KEV catalogue within days
- Initial access broker activity — compromised Juniper devices were observed being sold for network access
- Chinese APT suspicion — the targeting pattern (networking infrastructure at telcos and government agencies) is consistent with Chinese state-sponsored activity, though no formal attribution was made
Shodan scans showed tens of thousands of J-Web instances publicly accessible, with a significant proportion running vulnerable software versions.
Impact Assessment
- Code execution on JunOS — the underlying operating system of Juniper devices
- Full device control — modify firewall rules, routing configurations, and VPN settings
- Network visibility — capture or redirect traffic
- Configuration exfiltration — routing tables, VPN configurations, and credentials accessible
- Persistent access — JunOS supports custom scripts and processes; attackers can establish persistence
- Lateral movement — enterprise firewalls and switches are well-positioned for pivoting to internal networks
Affected Versions
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Juniper SRX Series | Junos OS 20.4R3-S8 and earlier | 20.4R3-S9 |
| Juniper SRX Series | Junos OS 21.2R3-S6 and earlier | 21.2R3-S7 |
| Juniper SRX Series | Junos OS 21.4R3-S5 and earlier | 21.4R3-S6 |
| Juniper SRX Series | Junos OS 22.1R3-S3 and earlier | 22.1R3-S4 |
| Juniper SRX Series | Junos OS 22.2R3 and earlier | 22.2R3-S2 |
| Juniper EX Series | Same version ranges | Same fixed versions |
Remediation Steps
- Update JunOS to the patched versions listed in Juniper’s advisory JSA72300
- If patching cannot be done immediately, disable J-Web access from untrusted interfaces:
delete system services web-management commit - Alternatively, restrict J-Web to trusted management IPs via firewall filters:
set firewall filter MGMT-ACCESS term ALLOW-J-WEB from source-address <trusted-ip/32> set firewall filter MGMT-ACCESS term ALLOW-J-WEB then accept set firewall filter MGMT-ACCESS term DENY-REST then discard set interfaces <mgmt-interface> unit 0 family inet filter input MGMT-ACCESS - Review
/var/tmp/and/cf/var/db/for unexpected PHP files - Check J-Web access logs for unusual file upload requests or PHP environment variable manipulation
- Rotate all credentials if compromise is suspected
Detection Guidance
J-Web access logs — located at /var/log/ on JunOS. Look for:
- POST requests to file upload endpoints from untrusted IPs
- Requests with unusual parameters that might contain
PHPRCor path references - Successful file uploads followed by PHP execution
File system monitoring — check for unexpected .php files in web-accessible directories or temp directories.
Suricata signature:
alert http any any -> $HTTP_SERVERS any (msg:"Juniper J-Web CVE-2023-36844 PHP ENV Injection"; flow:established,to_server; http.request_body; content:"PHPRC"; classtype:web-application-attack; sid:2034011; rev:1;)Network activity — unexpected outbound connections from Juniper device management interfaces, particularly to new external destinations.
Timeline
| Date | Event |
|---|---|
| 16 August 2023 | Juniper patches CVE-2023-36844 through CVE-2023-36847 |
| 25 August 2023 | watchTowr Labs publishes detailed technical analysis and PoC |
| August 2023 | Mass scanning begins; exploitation observed within days |
| August 2023 | CISA adds to Known Exploited Vulnerabilities catalogue |
| 2023 | Continued exploitation of unpatched Juniper devices |