CVE-2024-21585 in Junos OS
Summary
by MITRE • 01/12/2024
An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.
This issue only affects routers configured with non-stop routing (NSR) enabled. Graceful Restart (GR) helper mode, enabled by default, is also required for this issue to be exploitable.
When the BGP session flaps on the NSR-enabled router, the device enters GR-helper/LLGR-helper mode due to the peer having negotiated GR/LLGR-restarter capability and the backup BGP requests for replication of the GR/LLGR-helper session, master BGP schedules, and initiates replication of GR/LLGR stale routes to the backup BGP. In this state, if the BGP session with the BGP peer comes up again, unsolicited replication is initiated for the peer without cleaning up the ongoing GR/LLGR-helper mode replication. This parallel two instances of replication for the same peer leads to the assert if the BGP session flaps again.
This issue affects:
Juniper Networks Junos OS
* All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3-S4; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S1; * 22.4 versions earlier than 22.4R2-S2, 22.4R3; * 23.2 versions earlier than 23.2R1-S1, 23.2R2.
Juniper Networks Junos OS Evolved
* All versions earlier than 21.3R3-S5-EVO; * 21.4 versions earlier than 21.4R3-S5-EVO; * 22.1 versions earlier than 22.1R3-S4-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO; * 22.3 versions earlier than 22.3R3-S1-EVO; * 22.4 versions earlier than 22.4R2-S2-EVO, 22.4R3-EVO; * 23.2 versions earlier than 23.2R1-S1-EVO, 23.2R2-EVO.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/12/2024
The vulnerability identified as CVE-2024-21585 represents a critical improper handling of exceptional conditions within the Border Gateway Protocol (BGP) session processing mechanisms of Juniper Networks Junos OS and Junos OS Evolved platforms. This flaw specifically targets routers configured with non-stop routing (NSR) functionality, creating a pathway for unauthenticated network-based attackers to induce denial of service conditions through strategic BGP session flapping. The vulnerability operates under the purview of CWE-703, which classifies improper handling of exceptional conditions as a fundamental software design flaw that can lead to system instability and operational disruption. The attack vector requires specific timing conditions that are largely outside the attacker's direct control, yet the exploitation potential remains significant due to the critical nature of routing protocols in network infrastructure.
The technical execution of this vulnerability hinges on the interaction between graceful restart (GR) helper mode and the non-stop routing feature within Junos OS. When BGP sessions flap on NSR-enabled routers, the system transitions into GR-helper/LLGR-helper mode to maintain routing stability during failover scenarios. The vulnerability manifests when a BGP session that was previously in GR/LLGR-helper replication mode reconnects without proper cleanup of the existing replication state. This creates a scenario where two parallel replication instances operate simultaneously for the same peer, leading to an assertion failure that crashes the routing protocol daemon (rpd) process. The underlying issue stems from insufficient state management during the transition between normal operation and helper mode, particularly when handling session re-establishment in environments with NSR and GR helper configurations. This behavior aligns with ATT&CK technique T1499.004, which encompasses network denial of service attacks targeting routing protocols and network infrastructure.
The operational impact of this vulnerability extends beyond simple service disruption to encompass sustained denial of service conditions that can severely compromise network availability and stability. The rpd process crash and subsequent restart creates a cascading effect that affects routing convergence and network traffic flow, particularly in environments where BGP is critical for inter-domain connectivity. The vulnerability's exploitation requires the presence of both NSR and GR helper mode configurations, which are commonly deployed in production environments for high availability and service continuity. The affected versions span multiple release branches of Junos OS, indicating that this is a widespread issue affecting both legacy and newer deployments. Organizations running affected versions face significant risk of operational disruption, particularly in mission-critical network infrastructures where routing stability is paramount. The vulnerability's potential for sustained DoS conditions makes it particularly dangerous in environments where network availability is crucial for business operations and service delivery.
Mitigation strategies for CVE-2024-21585 primarily focus on immediate software updates to patched versions of Junos OS and Junos OS Evolved. Network administrators should prioritize upgrading affected devices to the latest stable releases that contain the necessary code fixes for proper state management during BGP session transitions. The vulnerability's requirement for specific configurations including NSR and GR helper mode means that organizations without these features are not immediately at risk, though they should still consider updating to maintain overall security posture. Security teams should implement monitoring protocols to detect unusual BGP session flapping patterns that might indicate attempted exploitation, as the vulnerability requires specific timing conditions that may be observable through network monitoring tools. Additionally, implementing network segmentation and access controls can reduce the attack surface by limiting network-based access to routing infrastructure. The remediation process should include thorough testing of patched firmware in non-production environments to ensure compatibility with existing network configurations and avoid unintended operational disruptions. Organizations should also review their BGP configuration practices to minimize the potential for session flapping and maintain proper network stability even when the vulnerability is not actively being exploited.