Recently, a new security vulnerability was discovered that affects several Juniper Networks Junos OS and Junos OS Evolved Routing Protocol Daemon (RPD) versions. The vulnerability, known as CVE-2024-21598, is caused by an improper validation of syntactic correctness of input and allows a network-based, unauthenticated attacker to cause a denial of service (DoS) situation.

The Vulnerability

When a Border Gateway Protocol (BGP) update is received over an established BGP session containing a tunnel encapsulation attribute with a specifically malformed Type-Length-Value (TLV), the RPD of the affected networks will crash and restart. This issue potentially impacts several versions of Juniper Networks Junos OS, as well as Junos OS Evolved.

An attacker can exploit this vulnerability without needing authentication and can cause a denial of service condition, impacting the availability and functionality of the network.

A detailed list of affected Juniper Networks Junos OS and Junos OS Evolved versions can be found in the original advisory here.

Original References

For further information, please refer to the official Juniper Networks Security Advisory (JSA) JSA11251 and JSA79095.

Exploit Details

To exploit this vulnerability, an attacker needs to send a specially crafted BGP update with a malformed TLV. Below is a code snippet demonstrating an example of the faulty TLV:

# Example of a malformed TLV: the Length field is incorrect
tunnel_encapsulation_attr = [
    (TUNNEL_ENCAPSULATION_SUBTLV_DESCRIPTION, "Malformed TLV"),
    (TUNNEL_ENCAPSULATION_SUBTLV_LENGTH, xFFFF),
    (TUNNEL_ENCAPSULATION_SUBTLV_VALUE, "\x01\x02\x03\x04"),
]

If RPD receives a BGP update containing such a malformed TLV, it will crash and restart, causing a denial of service situation.

How to Mitigate the Vulnerability

Juniper Networks has released software updates to fix this issue, as described in the JSA11251 advisory. Affected users are advised to update their systems to the fixed versions. For a comprehensive list of fixed versions, please refer to the advisory here.

Conclusion

CVE-2024-21598 is a critical vulnerability that affects several Juniper Networks Junos OS and Junos OS Evolved versions, allowing an attacker to cause a denial of service situation in the network. Users are advised to apply the appropriate software updates from Juniper Networks as soon as possible to protect their systems from potential attacks.

Timeline

Published on: 04/12/2024 15:15:23 UTC
Last modified on: 05/16/2024 20:15:08 UTC