CVE-2017-2343
📋 TL;DR
CVE-2017-2343 is a critical vulnerability in Juniper SRX Series firewalls with Integrated User Firewall (UserFW) feature that involves hardcoded credentials in the authentication API. This allows attackers to completely compromise SRX devices and potentially gain administrative control over integrated Active Directory servers. Affected systems include SRX Series devices running specific vulnerable Junos OS versions with UserFW enabled.
💻 Affected Systems
- Juniper SRX Series
📦 What is this software?
Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of SRX firewall and administrative takeover of integrated Active Directory domains, leading to credential theft, lateral movement across enterprise networks, and compromise of email, database, and other critical services.
Likely Case
SRX device compromise leading to firewall policy bypass, network traffic interception, and potential access to integrated authentication systems.
If Mitigated
Limited impact if UserFW feature is disabled or proper network segmentation isolates SRX devices from critical infrastructure.
🎯 Exploit Status
Hardcoded credentials make exploitation straightforward if the vulnerable service is accessible. No authentication required to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Junos OS 12.3X48-D35 or later; 15.1X49-D50 or later
Vendor Advisory: https://kb.juniper.net/JSA10791
Restart Required: Yes
Instructions:
1. Download appropriate Junos OS version from Juniper support portal. 2. Upload to SRX device. 3. Install using 'request system software add' command. 4. Reboot device after installation.
🔧 Temporary Workarounds
Disable UserFW Feature
allTemporarily disable the Integrated User Firewall feature to eliminate the vulnerability
delete security user-identification
Restrict Access to UserFW Service
allApply firewall policies to restrict network access to the UserFW authentication service
set security zones security-zone trust host-inbound-traffic system-services user-identification
🧯 If You Can't Patch
- Immediately disable the Integrated User Firewall feature if not required
- Implement strict network segmentation to isolate SRX devices from Active Directory servers and other critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Run: show services user-identification active-directory-access domain-controller status extensive. If status shows 'Connected', check version with: show versionCheck Version:
show version | match JunosVerify Fix Applied:
Verify Junos OS version is 12.3X48-D35+ or 15.1X49-D50+ using: show version📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access attempts to UserFW API
- Unexpected authentication events from SRX to Active Directory
- Changes to firewall policies or user authentication rules
Network Indicators:
- Unusual traffic patterns from SRX to Active Directory servers
- Authentication requests from unexpected sources to UserFW service
SIEM Query:
source="SRX-Firewall" AND (event="user-identification" OR event="active-directory-access") AND status="Connected"