The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given a November 17, 2023, deadline for federal agencies and organizations to apply mitigations to secure against a number of security flaws in Juniper Junos OS that came to light in August.
The agency on Monday added five vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation -
- CVE-2023-36844 (CVSS score: 5.3) - Juniper Junos OS EX Series PHP External Variable Modification Vulnerability
- CVE-2023-36845 (CVSS score: 5.3) - Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability
- CVE-2023-36846 (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
- CVE-2023-36847 (CVSS score: 5.3) - Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability
- CVE-2023-36851 (CVSS score: 5.3) - Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability
The vulnerabilities, per Juniper, could be fashioned into an exploit chain to achieve remote code execution on unpatched devices. Also added to the list is CVE-2023-36851, which has been described as a variant of the SRX upload flaw.
Juniper, in an update to its advisory on November 8, 2023, said it's "now aware of successful exploitation of these vulnerabilities," recommending that customers update to the latest versions with immediate effect.
The details surrounding the nature of the exploitation are currently unknown.
In a separate alert, CISA has also warned that the Royal ransomware gang may rebrand as BlackSuit owing to the fact that the latter shares a "number of identified coding characteristics similar to Royal."
The development comes as Cyfirma disclosed that exploits for critical vulnerabilities are being offered for sale on darknet forums and Telegram channels.
"These vulnerabilities encompass elevation of privilege, authentication bypass, SQL injection, and remote code execution, posing significant security risks," the cybersecurity firm said, adding, "ransomware groups are actively searching for zero-day vulnerabilities in underground forums to compromise a large number of victims."
It also follows revelations from Huntress that threat actors are targeting multiple healthcare organizations by abusing the widely-used ScreenConnect remote access tool used by Transaction Data Systems, a pharmacy management software provider, for initial access.
"The threat actor proceeded to take several steps, including installing additional remote access tools such as ScreenConnect or AnyDesk instances, to ensure persistent access to the environments," Huntress noted.