Juniper Networks Junos OS EX Series PHP External Variable Modification Vulnerability

A PHP external variable modification vulnerability has been identified in Juniper Networks Junos OS on EX Series switches. This vulnerability allows an unauthenticated, network-based attacker to manipulate important PHP environment variables. By sending a crafted request, an attacker can modify these variables, leading to a partial loss of integrity, which may be exploited in conjunction with other vulnerabilities. The issue affects all versions of Junos OS on EX Series prior to 20.4R3-S9, as well as specific 21.x, 22.x, and 23.2 versions.

Impact

Exploitation of this vulnerability allows for unauthorized modification of PHP environment variables, potentially leading to remote code execution by chaining with other vulnerabilities.

Reproduction

To reproduce this vulnerability, send a POST request to the J-Web interface of an affected Juniper EX Series switch. The request must include the 'PHPRC' variable set to '/dev/fd/0', along with 'allow_url_include' enabled. This will manipulate the PHP execution environment, allowing for code injection and execution.

Remediation

Users are advised to upgrade to Junos OS versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S2, 22.3R2-S2, 22.3R3-S1, 22.4R2-S1, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1 or any subsequent releases. For those on the SRX Series, note that while the EX releases fix the code execution vulnerability, the SRX releases are affected by a new file upload vulnerability but not the code execution.