CVE-2024-30403 in Junos OS Evolved
Summary
by MITRE • 04/12/2024
A NULL Pointer Dereference vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).
When Layer 2 traffic is sent through a logical interface, MAC learning happens. If during this process, the interface flaps, an Advanced Forwarding Toolkit manager (evo-aftmand-bt) core is observed. This leads to a PFE restart. The crash reoccurs if the same sequence of events happens, which will lead to a sustained DoS condition.
This issue affects Juniper Networks Junos OS Evolved: 23.2-EVO versions earlier than 23.2R1-S1-EVO, 23.2R2-EVO.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/07/2025
The vulnerability described in CVE-2024-30403 represents a critical NULL pointer dereference flaw within the Packet Forwarding Engine of Juniper Networks Junos OS Evolved platform. This security weakness specifically targets the Advanced Forwarding Toolkit manager component known as evo-aftmand-bt which is responsible for managing forwarding operations in the network infrastructure. The flaw manifests when Layer 2 traffic traverses logical interfaces where MAC learning processes occur, creating a scenario where system stability can be compromised through carefully crafted network traffic patterns. The vulnerability is particularly concerning because it requires minimal privileges to exploit, allowing an unauthenticated adjacent attacker to initiate the malicious sequence that leads to system instability.
The technical mechanism behind this vulnerability involves a specific race condition during MAC learning operations that occurs when interface flapping events take place. When a logical interface experiences rapid state changes, the Advanced Forwarding Toolkit manager attempts to process these transitions while maintaining internal data structures. However, the code fails to properly validate pointer references during this critical phase, resulting in a NULL pointer dereference exception. This error causes the evo-aftmand-bt process to crash and subsequently restart the Packet Forwarding Engine component. The crash is not a one-time occurrence but rather a recurring issue that persists as long as the same sequence of interface flapping and MAC learning events continues to occur.
The operational impact of this vulnerability extends beyond simple service disruption to create sustained denial of service conditions that can severely impact network availability and reliability. Network administrators face the challenge of maintaining continuous service while dealing with intermittent system restarts that can occur without warning. The PFE restarts caused by this vulnerability effectively remove the affected forwarding engine from service, disrupting all traffic flowing through the logical interfaces that trigger the condition. This creates cascading effects throughout the network infrastructure, potentially leading to extended outages that can impact business operations and service level agreements. The vulnerability is particularly dangerous in high-availability environments where network redundancy is expected to maintain service continuity.
Mitigation strategies for this vulnerability should focus on immediate version upgrades to the patched releases mentioned in the advisory, specifically 23.2R1-S1-EVO and 23.2R2-EVO for the affected 23.2-EVO versions. Network administrators should implement monitoring solutions to detect interface flapping patterns that could lead to triggering the vulnerability, as well as establish automated alerting systems for PFE restart events. The implementation of network segmentation and access controls can help limit the attack surface by preventing unauthorized adjacent network access. Additionally, organizations should consider implementing traffic shaping policies that limit the rate of Layer 2 traffic through logical interfaces to reduce the probability of triggering the race condition. From a compliance perspective, this vulnerability aligns with CWE-476 which addresses NULL pointer dereference issues and represents a significant concern under ATT&CK framework category T1499 for network denial of service attacks, highlighting the need for robust network infrastructure security controls and incident response procedures to maintain operational resilience against such threats.