CVE-2024-30391 in Junos OS
Summary
by MITRE • 04/12/2024
A Missing Authentication for Critical Function vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an unauthenticated network-based attacker to cause limited impact to the integrity or availability of the device.
If a device is configured with IPsec authentication algorithm hmac-sha-384 or hmac-sha-512, tunnels are established normally but for traffic traversing the tunnel no authentication information is sent with the encrypted data on egress, and no authentication information is expected on ingress. So if the peer is an unaffected device transit traffic is going to fail in both directions. If the peer is an also affected device transit traffic works, but without authentication, and configuration and CLI operational commands indicate authentication is performed. This issue affects Junos OS:
All versions before 20.4R3-S7,
21.1 versions before 21.1R3,
21.2 versions before 21.2R2-S1, 21.2R3,
21.3 versions before 21.3R1-S2, 21.3R2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/29/2026
The vulnerability described in CVE-2024-30391 represents a critical missing authentication flaw within the Packet Forwarding Engine of Juniper Networks Junos OS operating on MX Series devices with SPC3 and SRX Series platforms. This weakness falls under the CWE-306 category of "Missing Authentication for Critical Function" and specifically targets the IPsec tunneling mechanism that governs secure network communications. The flaw manifests when devices are configured with strong authentication algorithms such as hmac-sha-384 or hmac-sha-512, creating a false sense of security while simultaneously undermining the integrity of encrypted traffic flows.
The technical implementation of this vulnerability stems from a critical oversight in the IPsec processing pipeline where authentication tags are stripped from encrypted packets during egress processing while the system continues to report successful authentication in both configuration and operational command outputs. This creates a dangerous discrepancy between the system's reported security state and its actual operational behavior, allowing an unauthenticated attacker to exploit the gap in authentication mechanisms without requiring any credentials or access privileges. The flaw operates at the network layer, specifically affecting the Packet Forwarding Engine which is responsible for handling packet forwarding decisions and security processing in Juniper's routing platforms.
From an operational impact perspective, this vulnerability creates a scenario where traffic flowing through IPsec tunnels becomes vulnerable to integrity attacks, potentially allowing for packet modification or injection without detection. When traffic traverses tunnels between affected devices, the authentication process fails silently, meaning that while the system may indicate successful authentication through CLI commands and configuration outputs, the actual cryptographic verification is not performed on egress packets. This creates a false positive scenario where administrators believe their secure tunnels are functioning correctly while in reality they are processing traffic without proper authentication, which aligns with ATT&CK technique T1071.004 for Application Layer Protocol: DNS and T1566.002 for Phishing via Service Provider for potential exploitation pathways.
The vulnerability affects multiple Junos OS version streams including all releases before 20.4R3-S7, 21.1 versions prior to 21.1R3, 21.2 versions before 21.2R2-S1 and 21.2R3, and 21.3 versions before 21.3R1-S2 and 21.3R2, indicating this represents a widespread issue across several major release branches. The attack surface is particularly concerning for organizations relying on Juniper MX and SRX platforms for secure network communications, as the vulnerability allows for limited impact to both integrity and availability of the affected devices. The false reporting mechanism means that administrators may remain unaware of the compromised security state until actual attacks occur, creating a significant blind spot in network security monitoring and incident response procedures.
Mitigation strategies should focus on immediate patch application to the affected Junos OS versions, with particular attention to upgrading to the latest supported releases that contain the necessary fixes for the IPsec authentication mechanism. Organizations should also implement network monitoring to detect anomalous traffic patterns that might indicate tunnel integrity issues, while conducting thorough inventory assessments to identify all affected devices within their network infrastructure. Additional defensive measures include implementing network segmentation to limit the potential impact of compromised tunnels, establishing robust logging and alerting for IPsec tunnel status changes, and conducting security awareness training for network administrators regarding the importance of verifying authentication mechanisms beyond command-line reporting. The vulnerability demonstrates the critical importance of comprehensive testing of security features, particularly in cryptographic implementations where false positives can create dangerous security illusions that may go undetected for extended periods.