CVE-2024-21596 in Junos OS
Summary
by MITRE • 01/12/2024
A Heap-based Buffer Overflow vulnerability in the Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network based attacker to cause a Denial of Service (DoS).
If an attacker sends a specific BGP UPDATE message to the device, this will cause a memory overwrite and therefore an RPD crash and restart in the backup Routing Engine (RE). Continued receipt of these packets will cause a sustained Denial of Service (DoS) condition in the backup RE.
The primary RE is not impacted by this issue and there is no impact on traffic.
This issue only affects devices with NSR enabled.
This issue requires an attacker to have an established BGP session to a system affected by the issue. This issue affects both eBGP and iBGP implementations.
This issue affects:
Juniper Networks Junos OS
* All versions earlier than 20.4R3-S9; * 21.2 versions earlier than 21.2R3-S7; * 21.3 versions earlier than 21.3R3-S5; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R3-S4; * 22.2 versions earlier than 22.2R3-S2; * 22.3 versions earlier than 22.3R3-S1; * 22.4 versions earlier than 22.4R2-S2, 22.4R3; * 23.1 versions earlier than 23.1R2; * 23.2 versions earlier than 23.2R1-S2, 23.2R2.
Juniper Networks Junos OS Evolved
* All versions earlier than 21.3R3-S5-EVO; * 21.4-EVO versions earlier than 21.4R3-S5-EVO; * 22.1-EVO versions earlier than 22.1R3-S4-EVO; * 22.2-EVO versions earlier than 22.2R3-S2-EVO; * 22.3-EVO versions later than 22.3R1-EVO; * 22.4-EVO versions earlier than 22.4R2-S2-EVO, 22.4R3-EVO; * 23.1-EVO versions earlier than 23.1R2-EVO; * 23.2-EVO versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/12/2024
The vulnerability identified as CVE-2024-21596 represents a heap-based buffer overflow within the Routing Protocol Daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved platforms. This flaw manifests as a denial of service condition that specifically targets the backup Routing Engine when certain BGP UPDATE messages are processed. The technical nature of the vulnerability stems from improper input validation within the RPD component, which fails to adequately sanitize incoming BGP messages before processing them in memory. This weakness allows an attacker to craft malicious packets that trigger memory corruption, leading to unexpected program termination and subsequent restart of the RPD service on the backup Routing Engine. The vulnerability is categorized under CWE-121 Heap-based Buffer Overflow, which is a well-documented class of memory safety issues that have been extensively studied in cybersecurity contexts.
The operational impact of this vulnerability is significant within environments that rely on network resilience features such as Non-Stop Routing (NSR) functionality. When NSR is enabled on affected devices, the backup Routing Engine becomes the primary target for exploitation, as it handles the failover process during routing protocol disruptions. The attack vector requires an established BGP session, meaning that the attacker must first gain access to a valid BGP peer relationship with the target device, which typically requires network connectivity and potentially some level of network reconnaissance. However, once this precondition is met, the attacker can repeatedly send specially crafted BGP UPDATE messages to cause sustained denial of service conditions on the backup RE, effectively disrupting the high availability features that organizations depend on for network stability. This vulnerability specifically impacts the backup Routing Engine while leaving the primary RE unaffected, creating a scenario where network traffic continues to flow but the system loses its ability to maintain redundant routing capabilities.
Mitigation strategies for CVE-2024-21596 should focus on immediate patch management and network segmentation to prevent unauthorized BGP sessions from being established. Organizations should prioritize upgrading their Junos OS and Junos OS Evolved devices to versions that contain the appropriate security fixes, as outlined in the vulnerability timeline provided. The affected versions span multiple release lines from 20.4 through 23.2, indicating that this vulnerability has been present across several major releases of the Junos operating system. Network administrators should also implement BGP session filtering and access control lists to limit which external peers can establish BGP sessions with their routing infrastructure. Additionally, monitoring systems should be configured to detect unusual patterns of BGP UPDATE messages that could indicate exploitation attempts, as this vulnerability follows a predictable attack pattern that can be identified through behavioral analysis. The ATT&CK framework categorizes this type of vulnerability under T1499 - Endpoint Termination, where adversaries exploit software vulnerabilities to cause system disruptions, and T1566 - Phishing, as attackers may need to establish initial BGP sessions through network reconnaissance or social engineering tactics. Organizations should also consider implementing redundant routing protocols and ensuring that their network monitoring tools are capable of detecting and alerting on abnormal routing behavior that could indicate exploitation of this vulnerability.