CVE-2024-21587 in Junos OS
Summary
by MITRE • 01/12/2024
An Improper Handling of Exceptional Conditions vulnerability in the broadband edge subscriber management daemon (bbe-smgd) of Juniper Networks Junos OS on MX Series allows an attacker directly connected to the vulnerable system who repeatedly flaps DHCP subscriber sessions to cause a slow memory leak, ultimately leading to a Denial of Service (DoS). Memory can only be recovered by manually restarting bbe-smgd.
This issue only occurs if BFD liveness detection for DHCP subscribers is enabled. Systems without BFD liveness detection enabled are not vulnerable to this issue.
Indication of the issue can be observed by periodically executing the 'show system processes extensive' command, which will indicate an increase in memory allocation for bbe-smgd. A small amount of memory is leaked every time a DHCP subscriber logs in, which will become visible over time, ultimately leading to memory starvation.
user@junos> show system processes extensive | match bbe-smgd 13071 root 24 0 415M 201M select 0 0:41 7.28% bbe-smgd{bbe-smgd}
13071 root 20 0 415M 201M select 1 0:04 0.00% bbe-smgd{bbe-smgd}
... user@junos> show system processes extensive | match bbe-smgd 13071 root 20 0 420M 208M select 0 4:33 0.10% bbe-smgd{bbe-smgd}
13071 root 20 0 420M 208M select 0 0:12 0.00% bbe-smgd{bbe-smgd}
... This issue affects Juniper Networks Junos OS on MX Series:
* All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3-S4; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R2-S2, 22.4R3; * 23.2 versions earlier than 23.2R1-S1, 23.2R2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/12/2024
The vulnerability described in CVE-2024-21587 represents a critical improper handling of exceptional conditions within the broadband edge subscriber management daemon of Juniper Networks Junos OS operating on MX Series routers. This flaw manifests as a memory leak that occurs specifically when BFD liveness detection for DHCP subscribers is enabled, creating a persistent degradation of system resources that ultimately results in denial of service. The vulnerability demonstrates a classic example of resource exhaustion through repeated exceptional conditions, where each DHCP subscriber login event contributes to a small but cumulative memory leak that becomes catastrophic over time. The technical implementation fails to properly manage memory allocation during session flap scenarios, leading to an accumulation of unreclaimed memory segments that cannot be recovered without manual intervention.
The operational impact of this vulnerability extends beyond simple resource consumption, as it directly compromises the availability of the broadband edge subscriber management service. Attackers with physical access to the vulnerable system can systematically exploit this weakness by repeatedly flapping DHCP subscriber sessions, causing progressive memory starvation that eventually forces the daemon to become unresponsive. The memory leak pattern is characterized by gradual increases in memory allocation as observed through the 'show system processes extensive' command, where the bbe-smgd process demonstrates growing memory usage from hundreds of megabytes to potentially gigabytes over extended periods. This behavior aligns with CWE-404, which addresses improper resource release or inadequate resource management, and represents a significant concern for network infrastructure reliability where continuous service availability is paramount.
The specific conditions required for exploitation highlight the importance of BFD liveness detection configuration in triggering the vulnerability, indicating that systems without this feature remain unaffected. This targeted nature suggests that the flaw exists in the exception handling mechanism within the DHCP subscriber session management code when BFD liveness detection is active, creating a scenario where session flap events trigger memory allocation without proper cleanup. The remediation path involves upgrading to specific patched versions of Junos OS, with each major release having its own patch threshold, demonstrating the complexity of managing security updates across multiple software versions. Organizations must implement comprehensive patch management procedures to address this vulnerability, as the manual restart requirement for memory recovery creates operational challenges in maintaining service availability. The vulnerability also maps to ATT&CK technique T1499.004, which covers network denial of service through resource exhaustion, making it a significant concern for network security teams responsible for maintaining service availability and preventing unauthorized disruption of network services.