/
juniper_networks_remote_code_execution_exploit_detection.yml
72 lines (72 loc) · 4.2 KB
/
juniper_networks_remote_code_execution_exploit_detection.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: Juniper Networks Remote Code Execution Exploit Detection
id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e
version: 1
date: '2023-08-29'
author: Michael Haag, Splunk
status: production
type: TTP
data_source:
- Suricata
description: The following analytic detects the exploitation of a remote code execution vulnerability in Juniper Networks devices. The vulnerability involves multiple steps, including uploading a malicious PHP file and an INI file to the target server, and then executing the PHP code by manipulating the PHP configuration via the uploaded INI file. The analytic specifically looks for requests to /webauth_operation.php?PHPRC=*, which are used to upload the files and execute the code, respectively. This behavior is worth identifying for a SOC because it indicates that an attacker is attempting to exploit the vulnerability to gain unauthorized access to the device and execute arbitrary code. If a true positive is found, it suggests that an attacker has successfully exploited the vulnerability and may have gained control over the device, leading to data theft, network compromise, or other damaging outcomes. Upon triage, review the request parameters and the response to determine if the exploitation was successful. Capture and inspect any relevant network traffic and server logs to identify the attack source. This approach helps analysts detect potential threats earlier and mitigate the risks.
search: '| tstats count min(_time) as firstTime max(_time)
as lastTime from datamodel=Web where Web.url IN ("*/webauth_operation.php?PHPRC=*") Web.status=200
by Web.http_user_agent, Web.status Web.http_method, Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `juniper_networks_remote_code_execution_exploit_detection_filter`'
how_to_implement: To implement this search, ensure that the Web data model is populated. The search is activated when the Web data model is accelerated. Network products, such as Suricata or Palo Alto, need to be mapped to the Web data model. Adjust the mapping as necessary to suit your specific products.
known_false_positives: Be aware of potential false positives - legitimate uses of the /webauth_operation.php endpoint may cause benign activities to be flagged.The URL in the analytic is specific to a successful attempt to exploit the vulnerability. Review contents of the HTTP body to determine if the request is malicious. If the request is benign, add the URL to the whitelist or continue to monitor.
references:
- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-36844.yaml
- https://thehackernews.com/2023/08/new-juniper-junos-os-flaws-expose.html
- https://github.com/watchtowrlabs/juniper-rce_cve-2023-36844
- https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/
- https://vulncheck.com/blog/juniper-cve-2023-36845
tags:
analytic_story:
- Juniper JunOS Remote Code Execution
cve:
- CVE-2023-36844
- CVE-2023-36845
- CVE-2023-36846
- CVE-2023-36847
asset_type: Web Server
atomic_guid: []
confidence: 80
impact: 90
message: 'This analytic has identified a potential exploitation of a remote code execution vulnerability in Juniper Networks devices on $dest$ on the URL $url$ used for the exploit.'
observable:
- name: dest
type: Hostname
role:
- Victim
- name: url
type: URL String
role:
- Attacker
mitre_attack_id:
- T1190
- T1105
- T1059
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 72
required_fields:
- Web.http_user_agent
- Web.status
- Web.http_method
- Web.url
- Web.url_length
- Web.src
- Web.dest
- sourcetype
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/juniper/suricata_junos_cvemegazord.log
source: suricata
sourcetype: suricata