CVE-2024-30387 in Junos OS
Summary
by MITRE • 04/12/2024
A Missing Synchronization vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on ACX5448 and ACX710 allows an unauthenticated, adjacent attacker to cause a Denial-of-Service (DoS).
If an interface flaps while the system gathers statistics on that interface, two processes simultaneously access a shared resource which leads to a PFE crash and restart.
This issue affects Junos OS:
All versions before 20.4R3-S9,
21.2 versions before 21.2R3-S5,
21.3 versions before 21.3R3-S5,
21.4 versions before 21.4R3-S4,
22.1 versions before 22.1R3-S2,
22.2 versions before 22.2R3-S2,
22.3 versions before 22.3R2-S2, 22.3R3,
22.4 versions before 22.4R2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/07/2025
The vulnerability identified as CVE-2024-30387 represents a critical Missing Synchronization issue within the Packet Forwarding Engine of Juniper Networks Junos OS operating on ACX5448 and ACX710 platforms. This flaw manifests as a race condition where two distinct processes attempt to access a shared resource simultaneously when interface flapping occurs during statistics gathering operations. The fundamental technical weakness lies in the absence of proper synchronization mechanisms between these concurrent processes, creating a scenario where resource contention leads to system instability. The vulnerability specifically targets the PFE component which handles packet forwarding operations, making it particularly dangerous for network infrastructure devices that require continuous operation.
The operational impact of this vulnerability extends beyond simple service disruption to encompass complete system restarts and network outages. When an adjacent attacker triggers interface flapping conditions while statistics collection is active, the system experiences a deterministic crash pattern that results in PFE restarts. This behavior creates a denial-of-service condition that can be exploited repeatedly to maintain network disruption. The vulnerability's adjacency requirement means that exploitation necessitates physical or logical network access to the affected device, but does not require authentication credentials, making it accessible to attackers within the same network segment. The timing aspect of the flaw - specifically during statistics gathering operations - indicates that this vulnerability can be triggered through normal network operations or through deliberate stress testing.
Network administrators face significant operational challenges when addressing this vulnerability due to its potential for cascading failures across network infrastructure. The PFE crash and restart cycle can lead to temporary loss of packet forwarding capabilities, potentially causing network partitions or complete service outages depending on the network topology and device role. Organizations running affected Junos OS versions must consider the broader implications for their network reliability and availability, particularly in mission-critical environments where continuous operation is essential. The vulnerability affects multiple version branches of Junos OS, requiring comprehensive patch management strategies across different software releases and maintenance cycles.
Mitigation strategies for CVE-2024-30387 should prioritize immediate patch deployment across all affected Junos OS versions, with particular attention to the specific maintenance release requirements mentioned in the advisory. Network administrators should implement monitoring solutions to detect interface flapping conditions that could trigger the vulnerability, as well as establish incident response procedures for rapid deployment of patches during maintenance windows. The vulnerability aligns with CWE-362, which describes "Race Condition," and maps to ATT&CK technique T1499.004 for "Endpoint Denial of Service" within the context of network infrastructure devices. Organizations should also consider implementing network segmentation and access controls to limit adjacency access to critical network equipment, while maintaining regular vulnerability assessments to identify similar synchronization issues in other network components. The remediation process requires careful planning to minimize service disruption while ensuring complete protection against this specific race condition vulnerability.