On 10 January 2024, Juniper Networks released a patch for a critical remote code execution (RCE) vulnerability - tracked as CVE-2024-21591 (CVSS 9.8) - impacting the J-Web configuration interface in Junos OS SRX Series and EX Series.
The vulnerability can be triggered without authentication and may lead to execution of arbitrary code with root privileges and to carry out DDOS attacks against the vulnerable instance.
According to the Juniper Networks advisory, vulnerable versions include:
Junos OS versions earlier than 20.4R3-S9;
Junos OS 21.2 versions earlier than 21.2R3-S7;
Junos OS 21.3 versions earlier than 21.3R3-S5;
Junos OS 21.4 versions earlier than 21.4R3-S5;
Junos OS 22.1 versions earlier than 22.1R3-S4;
Junos OS 22.2 versions earlier than 22.2R3-S3;
Junos OS 22.3 versions earlier than 22.3R3-S2;
Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3
A cursory research of internet-facing web interfaces via Shodan reveals majority of these are located in the United States and South Korea. A considerable number of instances was found in Canada, Japan and Germany. However, such research has no ability to validate whether these instances are vulnerable.
