Juniper Networks has released security updates to patch 12 critical vulnerabilities affecting the widely used Junos OS and Junos OS Evolved platforms.
These newly disclosed security vulnerabilities affect multiple hardware models and pose significant risks to Juniper networking devices, especially from Denial of Service (DoS) attacks. Many of these flaws can be exploited by unauthenticated, network-based attackers without needing prior access.
CVE-2024-47489
A flaw in the Packet Forwarding Engine (PFE) allows an unauthenticated attacker to send specific protocol traffic, filling up the DDoS protection queue. This creates a DoS condition on downstream devices. A network-based attacker could exploit this vulnerability without needing any specific routing protocol to be enabled.
Juniper has provided workarounds and monitoring commands to help administrators identify potential signs of exploitation, such as monitoring the DDoS protection queue or system processes.
show evo-pfemand host pkt-stats
show host-path ddos all-policers
CVE-2024-47490
This vulnerability allows a network-based attacker to cause a significant resource consumption issue within the Packet Forwarding Engine (PFE) on ACX 7000 Series devices. By sending specific MPLS packets, the attacker can exhaust system resources, eventually resulting in a DoS.
CVE-2024-47491
Another vulnerability in the Routing Protocol Daemon (RPD) can be exploited by sending malformed BGP UPDATE packets. This causes the RPD to crash and restart repeatedly, leading to a sustained Denial of Service (DoS). As this attack can be triggered over an established BGP session, it makes the network susceptible to continuous service interruptions.
CVE-2024-47493
This vulnerability, found in the SRX5K, SRX4600, and MX Series platforms, involves memory leaks caused by continuous physical interface flaps. Over time, this results in memory exhaustion and ultimately leads to the device crashing.
CVE-2024-47497
In the HTTP daemon of several Juniper device series, including SRX, QFX, MX, and EX Series, an attacker can trigger resource exhaustion by sending specific HTTPS connection requests. Over time, this leads to process overloads and the device crashing.
For CVE-2024-47497, check system processes related to the HTTP daemon:
show system processes extensive | match mgd | count
CVE-2024-47499
An unauthenticated attacker can exploit improper checks in the Routing Protocol Daemon (RPD), causing devices to crash and restart. By leveraging a malformed BGP Monitoring Protocol (BMP) update, the attacker can overwhelm the device’s control plane, leading to a DoS situation.
CVE-2024-47502
This flaw involves the Border Gateway Protocol (BGP) on affected Juniper devices. An attacker can manipulate an established BGP session by sending crafted BGP messages, which could cause the Routing Protocol Daemon (RPD) to become unstable, leading to a crash.
Exploiting this vulnerability could result in a DoS condition, as the device’s routing daemon will continuously restart and fail to handle routing updates, disrupting overall network operations.
CVE-2024-47498
Denial-of-Service (DoS) vulnerability exists in the Junos OS Evolved on QFX5000 Series, where configuration statements meant to limit MAC learning and moves do not take effect. This flaw allows an unauthenticated adjacent attacker to overwhelm the control plane, impacting legitimate traffic processing.
Affected versions: All versions before 21.4R3-S8-EVO, 22.2-EVO before 22.2R3-S5-EVO, 22.4-EVO before 22.4R3-EVO, and 23.2-EVO before 23.2R2-EVO.
You can monitor abnormal MAC learning patterns and control plane overload by using the command:
user@host> show mac-learning statistics
CVE-2024-47499
A flaw in the routing protocol daemon (RPD) in Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker to cause a DoS. This occurs when a BGP Monitoring Protocol (BMP) session receives a malformed AS PATH attribute, resulting in an RPD crash.
Affected Versions: Junos OS and Junos OS Evolved across multiple versions, including all versions before 21.2R3-S8 and 22.4R3-S2
You can check for BGP session instability or RPD crashes using the command:
user@host> show rpd statistics
CVE-2024-47502
A resource exhaustion vulnerability exists in the Junos OS Evolved kernel, where terminated TCP sessions are not properly cleared, leading to resource depletion and preventing new connections to the control plane.
Affected Versions: Junos OS Evolved versions before 21.4R3-S9-EVO, 22.2R3-S4-EVO, and 23.4R2-EVO.
Monitor system connections to identify a growing number of inactive TCP sessions:
user@host> show system connections
CVE-2024-47503
This vulnerability allows a sequence of specific Protocol Independent Multicast (PIM) packets to cause a flowd crash, leading to a service interruption in Junos OS on SRX4600 and SRX5000 Series.
Affected Versions: Versions prior to 21.4R3-S9 and 23.4R2.
Detection: Check logs for flowd crashes or restarts using:
user@host> show log messages | match "flowd"
CVE-2024-47504
An unauthenticated attacker can send a specially crafted packet to a non-clustered SRX5000 device, leading to a flowd crash and restart.
Affected Versions: Junos OS releases prior to 22.2R3-S5, 23.4R2, and 24.2R1-S1
To monitor for unexpected flowd crashes by checking logs with:
user@host> show log flowd
CVE-2024-47505
A GUID resource leak in the PFE management daemon (evo-pfemand) in Junos OS Evolved can lead to a crash of the Forwarding Processor Card (FPC). The leak is triggered by specific SNMP GET operations or low-privileged CLI commands.
All versions before 22.4R2-EVO are affected.
Monitor for GUID exhaustion using the command:
user@host> show platform application-info allocations app evo-pfemand/evo-pfemand
CVE-2024-47506
When processing large traffic volumes for ATP Cloud inspection, a deadlock in the packet forwarding engine of SRX Series can cause a crash and restart of the PFE.
All versions prior to 22.2R2 are affected.
Monitor PFE restarts by checking system logs for related messages:
user@host> show log messages | match "PFE restart"
CVE-2024-47507
This vulnerability allows a BGP peer to send an aggregator attribute with an ASN value of zero (0), potentially affecting downstream BGP peers’ integrity.
Junos OS and Junos OS Evolved versions before 22.2R3-S4 are affected.
Check BGP logs for aggregator issues or ASN mismatches:
user@host> show bgp neighbor <neighbor-address> received-routes | match "Aggregator"
CVE-2024-47508 & CVE-2024-47509
Both vulnerabilities affect the PFE management daemon (evo-pfemand), leading to resource exhaustion and FPC crashes. These leaks occur during specific SNMP GET operations or low-privileged CLI commands.
Junos OS Evolved before 21.4R2-EVO and 22.1R2-EVO are affected.
You can monitor GUID allocations using:
user@host> show platform application-info allocations app evo-pfemand/evo-pfemand