CVE-2024-21600 : What You Need to Know
This CVE-2024-21600 vulnerability impacts Juniper's Junos OS on PTX Series devices, leading to a Denial of Service (DoS) condition.
This article provides detailed information about CVE-2024-21600, a vulnerability in Juniper's Junos OS impacting PTX Series devices.
Understanding CVE-2024-21600
CVE-2024-21600 is an Improper Neutralization of Equivalent Special Elements vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series. This vulnerability allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS) by triggering a host path wedge condition.
What is CVE-2024-21600?
The vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows attackers to exploit a scenario where MPLS packets, meant to be sent to a flexible tunnel interface (FTI), hit the reject NH when the FTI tunnel is down. This results in packets being sent to the CPU and causing a host path wedge condition, leading to an unresponsive FPC that requires manual intervention to recover. The issue specifically affects certain PTX Series devices like PTX1000, PTX3000, PTX5000 with FPC3, PTX10002-60C, and PTX10008/16 with LC110x.
The Impact of CVE-2024-21600
The impact of CVE-2024-21600 is a Denial of Service (DoS) condition on affected PTX Series devices, requiring manual restarts to recover the FPC.
Technical Details of CVE-2024-21600
This section delves into the technical aspects of the vulnerability.
Vulnerability Description
The vulnerability arises from an Improper Neutralization of Equivalent Special Elements in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series, allowing for a DoS attack.
Affected Systems and Versions
The issue affects Junos OS versions earlier than:
- 20.4R3-S8
- 21.1R3-S4
- 21.2R3-S6
- 21.3R3-S3
- 21.4R3-S5
- 22.1R2-S2, 22.1R3
- 22.2R2-S1, 22.2R3
Exploitation Mechanism
As of the publication, there have been no known malicious exploitation of this vulnerability according to Juniper SIRT.
Mitigation and Prevention
Mitigating steps to address and prevent the CVE-2024-21600 vulnerability are crucial for maintaining the security of impacted systems.
Immediate Steps to Take
Configuring a limit for reject packets via:
[ system ddos-protection protocols reject aggregate bandwidth 20 ]
Long-Term Security Practices
Adopting proper network segmentation, access controls, and regular security updates can enhance the overall security posture.
Patching and Updates
Juniper has released updated software versions for Junos OS, including 20.4R3-S8, 21.1R3-S4, 21.2R3-S6, 21.3R3-S3, 21.4R3-S5, 22.1R2-S2, 22.1R3, 22.2R2-S1, 22.2R3, 22.3R1, and subsequent releases to address this specific vulnerability.
This article sheds light on the CVE-2024-21600 vulnerability in Juniper's Junos OS, its technical impact, affected systems, and mitigation strategies to safeguard against potential threats.