The U.S. CISA has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.
The agency has added five vulnerabilities of medium severity to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation –
- CVE-2023-36844 – Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
- CVE-2023-36845 – Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability
- CVE-2023-36846 – Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
- CVE-2023-36847 – Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
- CVE-2023-36851 – Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
The vulnerabilities could be fashioned into an exploit chain to achieve remote code execution on unpatched devices. Also added to the list is CVE-2023-36851, which has been described as a variant of the SRX upload flaw.
Juniper, in an update to its advisory on November 8, 2023, said it’s now aware of successful exploitation of these vulnerabilities, recommending that customers update to the latest versions with immediate effect.
In a separate alert, CISA has also warned that the Royal ransomware gang may rebrand as BlackSuit owing to the fact that the latter shares a number of identified coding characteristics similar to Royal ransomware.
