Beware of Denial of Service Attacks on Juniper Networks Junos OS Evolved Devices

CVECVE-2024-21604
CVSScvssV3_1: 7.5
SourceCVE-2024-21604

Juniper Networks Junos OS Evolved is prone to a denial of service vulnerability that allows remote attackers to cause connectivity issues. The vulnerability, tracked as CVE-2024-21604 with a CVSS score of 7.5, exists in the kernel resource allocation logic.

By sending a high rate of specific valid network packets, an unauthenticated attacker can overwhelm the routing engine component. This leads to the routing engine losing connection with other chassis parts, resulting in a complete system outage.

When exploited, log messages like “nf_conntrack: table full, dropping packet” may be observed.

Several older versions of Junos OS Evolved released in 2020-2022 are affected. This includes all versions before 20.4R3-S7-EVO as well as specific releases in 2021-2022.

To carry out attacks, hackers simply need to generate a large volume of crafted packets towards the vulnerable devices. Admins are recommended to apply the latest patches, install firewall filters to block suspicious traffic, and monitor devices for signs of overload. Proper maintenance and quick patching can help prevent service disruption from denial of service attacks.

References