CVE-2024-39558 in Junos OS
Summary
by MITRE • 07/11/2024
An Unchecked Return Value vulnerability in the Routing Protocol Daemon (rpd) on Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows a logically adjacent, unauthenticated attacker sending a specific PIM packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS), when PIM is configured with Multicast-only Fast Reroute (MoFRR). Continued receipt and processing of this packet may create a sustained Denial of Service (DoS) condition.
This issue is observed on Junos and Junos Evolved platforms where PIM is configured along with MoFRR. MoFRR tries to select the active path, but due to an internal timing issue, rpd is unable to select the forwarding next-hop towards the source, resulting in an rpd crash.
This issue affects:
Junos OS:
* All versions before 20.4R3-S10, * from 21.2 before 21.2R3-S7, * from 21.4 before 21.4R3-S6, * from 22.1 before 22.1R3-S5, * from 22.2 before 22.2R3-S3, * from 22.3 before 22.3R3, * from 22.4 before 22.4R2;
Junos OS Evolved:
* All versions before 20.4R3-S10 -EVO, * from 21.2-EVO before 21.2R3-S7 -EVO, * from 21.4-EVO before 21.4R3-S6 -EVO, * from 22.1-EVO before 22.1R3-S5 -EVO, * from 22.2-EVO before 22.2R3-S3-EVO, * from 22.3-EVO before 22.3R3-EVO, * from 22.4-EVO before 22.4R2-EVO.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/11/2024
The vulnerability described in CVE-2024-39558 represents a critical unchecked return value flaw within the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved platforms. This issue specifically manifests when the Protocol Independent Multicast (PIM) protocol is configured with Multicast-only Fast Reroute (MoFRR) functionality. The vulnerability enables a logically adjacent, unauthenticated attacker to exploit a timing-related inconsistency in the rpd process, causing it to crash and restart repeatedly. This behavior constitutes a denial of service condition that can be either transient or sustained depending on the attacker's continued packet injection. The flaw resides in the internal processing logic where rpd fails to properly select the forwarding next-hop towards the multicast source due to an unresolved timing conflict during MoFRR path selection, leading to an unhandled exception that terminates the daemon.
The technical nature of this vulnerability aligns with CWE-252, which describes unchecked return values in software systems, making it a direct manifestation of poor error handling practices. When PIM packets are received and processed under MoFRR configuration, the rpd daemon encounters a scenario where it cannot properly establish or maintain the necessary forwarding state information. This failure occurs during the active path selection process, where the timing of packet reception and internal state updates creates a race condition or synchronization issue. The result is an abrupt termination of the rpd process, which then automatically restarts, creating a service disruption that impacts multicast routing functionality. The vulnerability's exploitation requires minimal privileges and can be executed from adjacent network segments, making it particularly concerning for network infrastructure devices.
From an operational impact perspective, this vulnerability presents a significant threat to network availability and stability, especially in environments where multicast routing is critical for services such as video streaming, real-time data distribution, or multicast-based applications. The DoS condition affects not only the immediate routing functionality but also potentially impacts broader network operations, as rpd is responsible for maintaining routing state information and processing multicast traffic. Network administrators may observe intermittent service disruptions or sustained outages depending on the frequency and persistence of the attack. The timing aspect of the vulnerability means that even a single malicious packet can trigger a cascade of restarts, potentially leading to complete routing table instability and service degradation across multicast domains.
Mitigation strategies for CVE-2024-39558 should prioritize immediate patching of affected Junos OS and Junos OS Evolved platforms to versions that address the underlying timing and return value handling issues. Organizations should also consider implementing network segmentation and access control measures to limit logical adjacency to affected devices, particularly in environments where multicast routing is enabled with MoFRR. Network monitoring should be enhanced to detect unusual restart patterns in rpd processes, and automated alerting systems should be configured to notify administrators of potential exploitation attempts. Additionally, temporary workarounds such as disabling PIM with MoFRR functionality or implementing rate limiting on multicast packet processing may be necessary until permanent patches can be deployed. The ATT&CK framework categorizes this vulnerability under T1499.004 for Network Denial of Service, and potentially T1566.002 for Phishing with Pretext, as it can be exploited through network-based attacks that require minimal reconnaissance or credential requirements.