CVE-2024-30397 in Junos OS
Summary
by MITRE • 04/12/2024
An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).
The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.
This CPU utilization of pkid can be checked using this command: root@srx> show system processes extensive | match pkid xxxxx root 103 0 846M 136M CPU1 1 569:00 100.00% pkid
This issue affects: Juniper Networks Junos OS All versions prior to 20.4R3-S10; 21.2 versions prior to 21.2R3-S7; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S3; 22.3 versions prior to 22.3R3-S1; 22.4 versions prior to 22.4R3; 23.2 versions prior to 23.2R1-S2, 23.2R2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/29/2026
The vulnerability identified as CVE-2024-30397 represents a critical improper check for unusual or exceptional conditions flaw within Juniper Networks Junos OS Public Key Infrastructure daemon. This weakness falls under the CWE-703 category of "Improper Check for Exceptional Conditions" which occurs when a program fails to properly handle exceptional circumstances that should trigger error recovery mechanisms. The pkid daemon serves as the core component responsible for certificate verification operations within the network infrastructure, making its stability crucial for maintaining secure communications and network availability.
The technical implementation of this vulnerability manifests when the pkid daemon encounters certificate verification failures. Rather than gracefully handling these exceptional conditions through proper resource management and error recovery protocols, the daemon enters an infinite loop consuming 100% CPU resources. This behavior creates a denial of service condition that affects the entire certificate verification infrastructure. The daemon becomes completely unresponsive to subsequent verification requests, effectively blocking all VPN negotiations that depend on certificate validation. The resource consumption pattern clearly demonstrates the problematic behavior, with the process showing 100% CPU utilization as evidenced by the diagnostic command output showing the daemon consuming excessive system resources.
The operational impact of this vulnerability extends far beyond simple service disruption, creating cascading failures throughout the network infrastructure. When the pkid daemon becomes unresponsive, all subsequent certificate verification requests fail, which directly impacts VPN connectivity and secure network access. This affects enterprise networks that rely heavily on Juniper SRX series devices for secure remote access and site-to-site connections. The vulnerability particularly threatens organizations using Junos OS versions prior to the specified patches, as these systems lack the proper exception handling mechanisms that would prevent the daemon from consuming all available CPU cycles. Network administrators may observe complete loss of VPN functionality, increased system load, and potential service degradation across multiple network services that depend on certificate validation.
Mitigation strategies for this vulnerability should prioritize immediate patch deployment across all affected Junos OS versions, with particular attention to the specific release versions mentioned in the advisory. Organizations should implement network monitoring solutions to detect unusual CPU utilization patterns in pkid processes, enabling early detection of potential exploitation attempts. The recommended approach includes establishing baseline performance metrics and implementing automated alerting systems when CPU utilization exceeds normal thresholds. Additionally, network segmentation strategies can help limit the impact of a compromised pkid daemon by isolating critical services and implementing redundant certificate verification mechanisms. Security teams should also consider implementing access controls to limit network access to devices running vulnerable versions of Junos OS, while maintaining detailed audit logs of certificate verification activities to aid in forensic analysis if exploitation occurs. The vulnerability demonstrates the importance of proper error handling in security-critical daemon processes and aligns with ATT&CK technique T1499.004 for "Endpoint Denial of Service" through resource exhaustion attacks.