{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/srx-series/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33790"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Junos OS","SRX Series"],"_cs_severities":["high"],"_cs_tags":["dos","icmpv6","junos","srx","nat64"],"_cs_type":"advisory","_cs_vendors":["Juniper"],"content_html":"\u003cp\u003eCVE-2026-33790 is a vulnerability affecting Juniper Networks Junos OS on SRX Series devices. The vulnerability resides in the flow daemon (flowd) and is triggered by sending a specific, malformed ICMPv6 packet to the device during NAT64 translation. This causes the srxpfe process to crash and restart. The continuous receipt and processing of these malformed packets will repeatedly crash the srxpfe process, resulting in a sustained Denial of Service (DoS) condition. The vulnerability is specific to ICMPv6 traffic and does not affect IPv4 or other IPv6 traffic types. Affected versions include versions before 21.2R3-S10, all versions of 21.3, versions 21.4 before 21.4R3-S12, all versions of 22.1, versions 22.2 before 22.2R3-S8, all versions of 22.4, versions 22.4 before 22.4R3-S9, versions 23.2 before 23.2R2-S6, versions 23.4 before 23.4R2-S7, versions 24.2 before 24.2R2-S3, versions 24.4 before 24.4R2-S3, and versions 25.2 before 25.2R1-S2, 25.2R2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Juniper SRX Series device running Junos OS with NAT64 enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a specific, malformed ICMPv6 packet.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malformed ICMPv6 packet to the SRX device.\u003c/li\u003e\n\u003cli\u003eThe SRX device receives the ICMPv6 packet and attempts NAT64 translation.\u003c/li\u003e\n\u003cli\u003eDue to the malformed packet, the flowd process encounters an improper check condition.\u003c/li\u003e\n\u003cli\u003eThe srxpfe process crashes as a result of the malformed ICMPv6 packet.\u003c/li\u003e\n\u003cli\u003eThe srxpfe process restarts automatically.\u003c/li\u003e\n\u003cli\u003eThe attacker continuously sends malformed ICMPv6 packets to repeatedly crash the srxpfe process, sustaining a Denial-of-Service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a Denial-of-Service condition on the affected Juniper SRX Series device. This can disrupt network services, impacting connectivity and availability for legitimate users. The repeated crashing of the srxpfe process can severely degrade device performance and potentially lead to complete service outage. The number of potential victims is dependent on the number of deployed, vulnerable Juniper SRX series devices with NAT64 enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the appropriate patch or upgrade to a fixed version of Junos OS on SRX Series devices as specified in the Juniper advisory to remediate CVE-2026-33790.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual or malformed ICMPv6 packets destined for SRX devices performing NAT64, as this may indicate exploitation attempts, and deploy the provided Sigma rule to detect such activity.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting for ICMPv6 traffic at the network perimeter to mitigate the impact of potential DoS attacks targeting this vulnerability, preventing the continuous crashing of the srxpfe process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-06-19T12:00:00Z","date_published":"2024-06-19T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-06-junos-icmpv6-dos/","summary":"A specific, malformed ICMPv6 packet sent to a Juniper Networks Junos OS SRX Series device can trigger a crash and restart of the srxpfe process, leading to a sustained Denial of Service.","title":"Juniper Junos OS SRX Series ICMPv6 Denial-of-Service Vulnerability (CVE-2026-33790)","url":"https://feed.craftedsignal.io/briefs/2024-06-junos-icmpv6-dos/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Junos OS","J-Web","SRX Series","EX Series"],"_cs_severities":["critical"],"_cs_tags":["juniper","rce","cve-2023-36844","cve-2023-36845","cve-2023-36846","cve-2023-36847"],"_cs_type":"advisory","_cs_vendors":["Juniper Networks"],"content_html":"\u003cp\u003eJuniper Networks devices, specifically those using the J-Web interface, are susceptible to remote code execution vulnerabilities. These vulnerabilities, including CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, allow attackers to execute arbitrary code on affected systems. The primary attack vector involves sending malicious requests to the \u003ccode\u003e/webauth_operation.php\u003c/code\u003e endpoint with manipulated \u003ccode\u003ePHPRC\u003c/code\u003e parameters. Successful exploitation grants the attacker unauthorized access, potentially leading to data theft, network compromise, and complete system control. Exploitation attempts have been observed targeting vulnerable Juniper SRX and EX series devices. Publicly available exploit code exists, increasing the likelihood of widespread exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Juniper Networks device running J-Web.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003e/webauth_operation.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ePHPRC\u003c/code\u003e parameter containing PHP code designed to execute commands on the server.\u003c/li\u003e\n\u003cli\u003eThe vulnerable J-Web interface processes the request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker's PHP code executes with the privileges of the web server process.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a reverse shell connection to an external server using \u003ccode\u003enc\u003c/code\u003e or \u003ccode\u003ebash -i\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the reverse shell to execute commands, enumerate the system, and escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a persistent backdoor, exfiltrates sensitive data, and pivots to other internal systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over Juniper Networks devices. This can lead to data theft, network outages, and further compromise of internal networks. The vulnerabilities affect a wide range of Juniper SRX and EX series devices, potentially impacting numerous organizations. If successful, attackers can deploy ransomware, steal intellectual property, or disrupt critical network services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect exploitation attempts (rules: \u0026quot;Juniper J-Web RCE via webauth_operation.php\u0026quot; and \u0026quot;Juniper J-Web RCE Reverse Shell\u0026quot;).\u003c/li\u003e\n\u003cli\u003eInspect web server logs for requests to \u003ccode\u003e/webauth_operation.php?PHPRC=*\u003c/code\u003e (IOC: \u003ccode\u003eurl: /webauth_operation.php?PHPRC=*\u003c/code\u003e) and investigate any matches.\u003c/li\u003e\n\u003cli\u003eMonitor for outbound network connections from Juniper devices to unusual or suspicious IP addresses, which may indicate a reverse shell (rule: \u0026quot;Juniper J-Web RCE Reverse Shell\u0026quot;).\u003c/li\u003e\n\u003cli\u003ePatch CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847 on all affected Juniper devices immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-juniper-rce/","summary":"Exploitation attempts targeting Juniper Networks J-Web interface via the webauth_operation.php endpoint to achieve remote code execution.","title":"Juniper Networks J-Web Remote Code Execution Vulnerability Exploitation","url":"https://feed.craftedsignal.io/briefs/2024-01-juniper-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - SRX Series","version":"https://jsonfeed.org/version/1.1"}