CVE-2024-39565

Summary

An Improper Neutralization of Data within XPath Expressions ('XPath Injection') vulnerability in J-Web shipped with Juniper Networks Junos OS allows an unauthenticated, network-based attacker to execute remote commands on the target device. 

While an administrator is logged into a J-Web session or has previously logged in and subsequently logged out of their J-Web session, the attacker can arbitrarily execute commands on the target device with the other user's credentials. In the worst case, the attacker will have full control over the device. This issue affects Junos OS: 

  • All versions before 21.2R3-S8, 
  • from 21.4 before 21.4R3-S7,
  • from 22.2 before 22.2R3-S4,
  • from 22.3 before 22.3R3-S3,
  • from 22.4 before 22.4R3-S2,
  • from 23.2 before 23.2R2,
  • from 23.4 before 23.4R1-S1, 23.4R2.

Affected Software

VendorProductVersion RangeStatus
Juniper Networks, Inc.Junos OS0 < 21.2R3-S8affected
Juniper Networks, Inc.Junos OS21.4 < 21.4R3-S7affected
Juniper Networks, Inc.Junos OS22.2 < 22.2R3-S4affected
Juniper Networks, Inc.Junos OS22.3 < 22.3R3-S3affected
Juniper Networks, Inc.Junos OS22.4 < 22.4R3-S2affected
Juniper Networks, Inc.Junos OS23.2 < 23.2R2affected
Juniper Networks, Inc.Junos OS23.4 < 23.4R1-S1, 23.4R2affected

Weaknesses

  • CWE-643: CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection')

Workarounds

There are no known workarounds for this issue other than disabling J-Web when not in use.

Juniper Networks has written an effective countermeasure for this attack at IDP Signature SigPack #3675 onward, released on 07 February 2024. The signature “HTTP:PHP:LAUNCHPAD-CMD-INJ” will identify and block the attack. For best effect, customers may deploy this signature on devices where J-Web is not used. Methods which may reduce, but not eliminate, the risk for exploitation of these problems, and which does not mitigate or resolve the underlying problem include:

• Deploying the appropriate IDP Signature on devices which do not have J-Web enabled which protect the device downstream which requires J-Web to be enabled.

• Disabling J-Web and using only alternate options such as Netconf over SSH for device management

• Restricting the use of J-Web to low-privileged accounts only

In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to the device only from trusted, administrative networks or hosts.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References