CVE-2024-30386 in Junos OSinfo

Summary

by MITRE • 04/12/2024

A Use-After-Free vulnerability in the Layer 2 Address Learning Daemon (l2ald)

of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, adjacent attacker to cause l2ald to crash leading to a Denial-of-Service (DoS).

In an EVPN-VXLAN scenario, when

state updates are received and processed by the affected system, the correct order of some processing steps is not ensured, which can lead to an l2ald crash and restart. Whether the crash occurs depends on system internal timing which is outside the attackers control. This issue affects:

Junos OS: 



* All versions before 20.4R3-S8, * 21.2 versions before 21.2R3-S6, * 21.3 versions before 21.3R3-S5, * 21.4 versions before 21.4R3-S4, * 22.1 versions before 22.1R3-S3, * 22.2 versions before 22.2R3-S1, * 22.3 versions before 22.3R3,, * 22.4 versions before 22.4R2;




Junos OS Evolved: 



* All versions before 20.4R3-S8-EVO, * 21.2-EVO versions before 21.2R3-S6-EVO,  * 21.3-EVO

versions before 21.3R3-S5-EVO, * 21.4-EVO

versions before 21.4R3-S4-EVO, * 22.1-EVO

versions before 22.1R3-S3-EVO, * 22.2-EVO

versions before 22.2R3-S1-EVO, * 22.3-EVO

versions before 22.3R3-EVO, * 22.4-EVO

versions before 22.4R2-EVO.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 02/07/2025

The vulnerability described in CVE-2024-30386 represents a critical use-after-free condition within the Layer 2 Address Learning Daemon (l2ald) of Juniper Networks Junos OS and Junos OS Evolved platforms. This flaw manifests specifically within EVPN-VXLAN environments where state updates are processed, creating a scenario where the daemon's memory management becomes compromised due to improper sequencing of processing steps. The underlying technical issue stems from inadequate synchronization mechanisms that fail to maintain proper execution order during state update handling, resulting in memory access violations that ultimately trigger daemon crashes. Such behavior aligns with CWE-416, which defines use-after-free vulnerabilities as a class of memory safety issues where freed memory is accessed, potentially leading to system instability or exploitation.

The operational impact of this vulnerability extends beyond simple service disruption, as it creates a predictable denial-of-service condition that can be exploited by adjacent attackers without authentication requirements. The attack vector requires physical or network proximity to the affected device, making it particularly concerning for environments where network segmentation is insufficient or where attackers can establish lateral movement within network perimeters. The timing-dependent nature of the crash occurrence, as noted in the vulnerability description, suggests that the vulnerability's exploitation may require specific conditions or sequences of events that align with internal system processing states. This characteristic places the vulnerability in the ATT&CK framework under the Tactic of Execution and the Technique of Exploitation for Privilege Escalation, though the specific nature of the vulnerability limits its exploitation to DoS rather than more severe compromise scenarios.

The affected product lines encompass a broad range of Junos OS and Junos OS Evolved versions, spanning multiple release branches and service pack levels, indicating that this represents a widespread issue affecting various deployment scenarios. The vulnerability's presence across different major versions demonstrates that the underlying memory management flaw has persisted through multiple development cycles, suggesting either inadequate code review processes or insufficient testing of state update handling mechanisms. Organizations running affected systems face significant operational risks, as the l2ald daemon is integral to Layer 2 address learning functionality within VXLAN networks, meaning that any disruption to this service directly impacts network connectivity and forwarding decisions. The restart behavior following the crash creates additional operational challenges, as it may cause temporary network disruption during the recovery process, potentially affecting services that depend on stable Layer 2 forwarding behavior.

Mitigation strategies should focus on immediate patching of affected systems to the recommended service pack levels, as these releases contain the necessary code modifications to address the improper processing order that leads to memory corruption. Network administrators should prioritize updating systems in production environments, particularly those handling EVPN-VXLAN traffic, as these configurations are most likely to trigger the vulnerable code paths. Additional operational mitigations include implementing network segmentation to limit adjacent attack vectors and monitoring for unusual daemon restart patterns that may indicate exploitation attempts. The vulnerability's classification as a use-after-free condition also suggests that implementing memory safety techniques such as address sanitization or heap verification tools could provide additional protection against similar issues. Organizations should also consider implementing network access controls to limit physical and network proximity to affected devices, as the vulnerability requires an adjacent attacker to exploit successfully. The timing-dependent nature of the crash indicates that this vulnerability may be more easily triggered under specific network load conditions or during periods of high state update activity, making performance monitoring and anomaly detection particularly important for early identification of potential exploitation attempts.

Reservation

03/26/2024

Disclosure

04/12/2024

Moderation

accepted

CPE

ready

EPSS

0.00267

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!