CVE-2024-39554 in Junos OSinfo

Summary

by MITRE • 07/11/2024

A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability the

Routing Protocol Daemon (rpd)

of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to inject incremental routing updates when BGP multipath is enabled, causing rpd to crash and restart, resulting in a Denial of Service (DoS). Since this is a timing issue (race condition), the successful exploitation of this vulnerability is outside the attacker's control.  However, continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.

On all Junos OS and Junos OS Evolved platforms with BGP multipath enabled, a specific multipath calculation removes the original next hop from the multipath lead routes nexthop-set. When this change happens, multipath relies on certain internal timing to record the update.  Under certain circumstance and with specific timing, this could result in an rpd crash.

This issue only affects systems with BGP multipath enabled.


This issue affects:

Junos OS:


* All versions of 21.1 * from 21.2 before 21.2R3-S7, * from 21.4 before 21.4R3-S6, * from 22.1 before 22.1R3-S5, * from 22.2 before 22.2R3-S3, * from 22.3 before 22.3R3-S2, * from 22.4 before 22.4R3, * from 23.2 before 23.2R2.




Junos OS Evolved:


* All versions of 21.1-EVO, * All versions of 21.2-EVO, * from 21.4-EVO before 21.4R3-S6-EVO, * from 22.1-EVO before 22.1R3-S5-EVO, * from 22.2-EVO before 22.2R3-S3-EVO, * from 22.3-EVO before 22.3R3-S2-EVO, * from 22.4-EVO before 22.4R3-EVO, * from 23.2-EVO before 23.2R2-EVO.



Versions of Junos OS before 21.1R1 are unaffected by this vulnerability. Versions of Junos OS Evolved before 21.1R1-EVO are unaffected by this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/11/2024

The vulnerability identified as CVE-2024-39554 represents a race condition within the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved platforms. This flaw manifests as a concurrent execution issue involving shared resources with improper synchronization, aligning with CWE-362, which describes the risk of simultaneous access to shared data structures without adequate locking mechanisms. The vulnerability specifically impacts systems where BGP multipath functionality is enabled, creating a scenario where an unauthenticated attacker can manipulate routing updates to trigger a crash in the rpd process.

The technical mechanism behind this vulnerability involves the multipath calculation logic within the BGP implementation. When BGP multipath is enabled, the system removes the original next hop from the multipath lead routes nexthop-set during certain calculations. This process relies on internal timing mechanisms to properly record and process updates. Under specific and timing-sensitive conditions, these internal timing dependencies can lead to an inconsistent state within the rpd process, ultimately causing it to crash and restart. The crash occurs due to improper handling of shared resources during concurrent access, a pattern that directly maps to the race condition classification.

The operational impact of this vulnerability is significant as it results in a denial of service condition. While the successful exploitation requires specific timing that is outside the attacker's direct control, the sustained receipt and processing of malicious packets can create a persistent DoS scenario. The rpd daemon is critical for routing operations, and its restart disrupts network connectivity and routing stability. This vulnerability affects a broad range of Junos OS and Junos OS Evolved versions, spanning multiple release branches from 21.1 through 23.2, with specific patches required for each affected version range. The issue is particularly concerning because it can occur in production environments without any explicit attacker action, making it a latent risk that could be triggered by normal network traffic patterns.

Mitigation strategies for CVE-2024-39554 primarily involve applying the vendor-provided security patches for affected Junos OS and Junos OS Evolved versions. Organizations should prioritize updating their systems to the latest stable releases that contain fixes for this race condition. Additionally, network administrators should consider disabling BGP multipath functionality on affected systems until patches are applied, although this may impact network performance and redundancy. Monitoring for unusual routing behavior or frequent rpd restarts can help detect potential exploitation attempts. From an ATT&CK perspective, this vulnerability aligns with T1499.004, which covers network denial of service attacks, and T1562.001, related to disabling services or processes. The vulnerability also demonstrates the importance of proper synchronization mechanisms in network daemon implementations, reinforcing the need for adherence to secure coding practices and thorough testing of concurrent access scenarios.

Responsible

Juniper

Reservation

06/25/2024

Disclosure

07/11/2024

Moderation

accepted

CPE

ready

EPSS

0.00366

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!