CVE-2024-21595
📋 TL;DR
An unauthenticated network attacker can cause a denial of service by sending high-rate specific ICMP traffic to Juniper devices with VXLAN configured, resulting in a PFE deadlock requiring manual restart. This affects Juniper EX4100, EX4400, EX4600, and QFX5000 Series devices running vulnerable Junos OS versions.
💻 Affected Systems
- Juniper EX4100 Series
- Juniper EX4400 Series
- Juniper EX4600 Series
- Juniper QFX5000 Series
📦 What is this software?
Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →Junos by Juniper
Junos OS is Juniper Networks' flagship network operating system running on enterprise routers, switches, security appliances, and data center infrastructure worldwide. Deployed across telecommunications providers, ISPs, cloud service providers, financial institutions, and large enterprises, Junos po...
Learn more about Junos →⚠️ Risk & Real-World Impact
Worst Case
Complete device unresponsiveness requiring manual reboot, disrupting all network services on affected devices.
Likely Case
Service disruption on affected devices requiring manual intervention to restore functionality.
If Mitigated
No impact if devices are patched or VXLAN is not configured.
🎯 Exploit Status
Attack requires sending high-rate specific ICMP traffic to devices with VXLAN configured. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.4R3-S4, 22.1R3-S3, 22.2R3-S1, 22.3R2-S2, 22.3R3, 22.4R2, 23.1R2 or later
Vendor Advisory: https://advisory.juniper.net/JSA75734
Restart Required: Yes
Instructions:
1. Download appropriate patched version from Juniper support portal. 2. Backup current configuration. 3. Install update following Juniper upgrade procedures. 4. Reboot device to apply changes.
🔧 Temporary Workarounds
Disable VXLAN
allRemove VXLAN configuration if not required for network operations.
delete protocols vxlan
commit
Rate Limit ICMP Traffic
allImplement firewall filters to limit ICMP traffic to affected devices.
set firewall family inet filter ICMP-LIMIT term 1 from protocol icmp
set firewall family inet filter ICMP-LIMIT term 1 then policer 1m
set firewall policer 1m if-exceeding bandwidth-limit 1m
set firewall policer 1m then discard
set interfaces interface-name unit 0 family inet filter input ICMP-LIMIT
commit
🧯 If You Can't Patch
- Disable VXLAN configuration if not essential for network operations.
- Implement network segmentation and access controls to limit ICMP traffic to affected devices.
🔍 How to Verify
Check if Vulnerable:
Check if device model is EX4100/EX4400/EX4600/QFX5000, VXLAN is configured, and Junos version is in affected range.Check Version:
show versionVerify Fix Applied:
Verify Junos version is patched (21.4R3-S4+, 22.1R3-S3+, 22.2R3-S1+, 22.3R2-S2+, 22.3R3+, 22.4R2+, 23.1R2+) and device is operational.📡 Detection & Monitoring
Log Indicators:
- PFE deadlock messages
- Device becoming unresponsive
- High ICMP traffic logs
Network Indicators:
- Unusually high ICMP traffic to devices with VXLAN
- Device becoming unresponsive to network requests
SIEM Query:
source="juniper-firewall" AND (icmp AND rate>threshold) OR "PFE deadlock" OR "device unresponsive"