CVE-2024-47489 in Junos OS Evolved
Summary
by MITRE • 10/11/2024
An Improper Handling of Exceptional Conditions vulnerability in the Packet Forwarding Engine (pfe) of the Juniper Networks Junos OS Evolved on ACX Series devices allows an unauthenticated, network based attacker sending specific transit protocol traffic to cause a partial Denial of Service (DoS) to downstream devices.
Receipt of specific transit protocol packets is incorrectly processed by the Routing Engine (RE), filling up the DDoS protection queue which is shared between routing protocols. This influx of transit protocol packets causes DDoS protection violations, resulting in protocol flaps which can affect connectivity to networking devices.
This issue affects both IPv4 and IPv6. This issue does not require any specific routing protocol to be configured or enabled.
The following commands can be used to monitor the DDoS protection queue:
labuser@re0> show evo-pfemand host pkt-stats
labuser@re0> show host-path ddos all-policers
This issue affects Junos OS Evolved:
* All versions before 21.4R3-S8-EVO, * from 22.2 before 22.2R3-S4-EVO, * from 22.3 before 22.3R3-S4-EVO, * from 22.4 before 22.4R3-S3-EVO, * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R1-S1-EVO, 23.4R2-EVO, * from 24.2 before 24.2R2-EVO.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/26/2026
The vulnerability described in CVE-2024-47489 represents a critical flaw in the Packet Forwarding Engine of Juniper Networks Junos OS Evolved running on ACX Series devices. This issue falls under the category of improper handling of exceptional conditions, specifically manifesting as a failure to properly process certain transit protocol packets that should be handled gracefully. The flaw exists within the Routing Engine component where incoming transit protocol traffic is incorrectly processed, leading to resource exhaustion and subsequent service disruption. The vulnerability operates at the network protocol level and affects the fundamental routing and forwarding capabilities of the device, making it particularly dangerous in production environments where network stability is paramount.
The technical implementation of this vulnerability exploits a specific processing path within the Routing Engine that handles transit protocol packets. When malformed or specially crafted transit protocol traffic reaches the device, the system fails to properly validate or handle these packets within the DDoS protection framework. This results in the DDoS protection queue becoming overwhelmed as these exceptional conditions are not properly filtered or managed. The shared nature of the DDoS protection queue between routing protocols exacerbates the issue, as the queue fills up rapidly with transit protocol packets that should not consume resources designated for legitimate DDoS protection mechanisms. This design flaw creates a scenario where legitimate network traffic can be disrupted by malicious actors who simply need to send specific transit protocol packets to trigger the condition.
The operational impact of this vulnerability extends beyond simple service disruption to potentially causing widespread connectivity issues within the network infrastructure. The partial denial of service affects downstream devices by causing routing protocol flaps, which can lead to temporary or extended network outages. These protocol flaps occur because the DDoS protection mechanisms are triggered by the malformed packets, causing the routing protocols to restart or become unstable. The vulnerability affects both IPv4 and IPv6 traffic streams, making it particularly challenging to mitigate since it operates at the protocol level rather than being limited to specific address families. The fact that this issue does not require any specific routing protocol to be configured or enabled means that any device running the affected Junos OS Evolved versions is potentially vulnerable, regardless of its current configuration.
Network administrators can monitor the impact of this vulnerability using specific diagnostic commands that reveal the state of the DDoS protection mechanisms. The command show evo-pfemand host pkt-stats provides visibility into packet statistics that can indicate when the DDoS protection queue is being overwhelmed. Similarly, the show host-path ddos all-policers command reveals the status of various DDoS protection policers that may be triggering due to the exceptional conditions. This monitoring capability is crucial for identifying when the vulnerability is being exploited and for measuring the effectiveness of mitigation strategies. The vulnerability affects multiple release branches of Junos OS Evolved, indicating that it is a persistent issue across various software versions that has not been adequately addressed in the affected release trains.
This vulnerability aligns with CWE-703, Improper Handling of Exceptional Conditions, which describes situations where a program does not properly handle exceptional or error conditions. The issue also maps to ATT&CK technique T1499.004, Network Denial of Service, as it creates a network-level denial of service condition through the manipulation of routing protocols. Additionally, the vulnerability demonstrates characteristics of T1566.002, Phishing via Service, in the context of how attackers can leverage the routing protocol processing to cause service disruption. The shared DDoS protection queue mechanism represents a design flaw that could be categorized under T1072, Software Deployment, where the software components do not properly isolate resource consumption between different protocol processing paths. Organizations should implement immediate patching strategies and consider network segmentation to isolate affected devices while applying the necessary software updates to remediate this vulnerability.
The mitigation approach for this vulnerability requires careful attention to the specific version ranges affected by the issue. Organizations should prioritize upgrading to the patched versions of Junos OS Evolved, particularly focusing on the specific release notes that address this particular flaw. The patching process should be carefully planned to avoid service disruption, considering that routing protocols may need to be restarted or reconfigured after the update. Network administrators should also consider implementing temporary network access controls or traffic filtering rules to prevent the specific transit protocol packets that trigger this vulnerability from reaching affected devices. The monitoring capabilities mentioned in the vulnerability description should be leveraged to establish baseline performance metrics before and after applying mitigations to ensure that the fix is effective in preventing the DDoS protection queue from being overwhelmed by exceptional conditions.