CVE-2024-21602
📋 TL;DR
A NULL pointer dereference vulnerability in Juniper Junos OS Evolved allows unauthenticated attackers to cause denial of service by sending specific IPv4 UDP packets. When received by the Routing Engine, these packets crash packetio, causing traffic interruption. This affects ACX7024, ACX7100-32C, and ACX7100-48L devices running vulnerable Junos OS Evolved versions.
💻 Affected Systems
- Juniper ACX7024
- Juniper ACX7100-32C
- Juniper ACX7100-48L
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial of service causing complete network disruption on affected devices, potentially affecting downstream systems and services.
Likely Case
Intermittent traffic interruptions as packetio crashes and restarts, leading to degraded network performance and reliability issues.
If Mitigated
Minimal impact with proper network segmentation and filtering preventing malicious UDP packets from reaching vulnerable devices.
🎯 Exploit Status
Attack requires sending specific UDP packets but no authentication or special privileges. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.4R3-S6-EVO, 22.1R3-S5-EVO, 22.2R2-S1-EVO, 22.2R3-EVO, or 22.3R2-EVO
Vendor Advisory: https://supportportal.juniper.net/JSA75743
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support. 3. Install update following Juniper upgrade procedures. 4. Reboot device to complete installation.
🔧 Temporary Workarounds
UDP Packet Filtering
allImplement firewall rules or ACLs to block suspicious UDP packets from reaching vulnerable devices
# Example: Configure ACL to filter UDP packets
# set firewall family inet filter BLOCK-UDP term 1 from protocol udp
# set firewall family inet filter BLOCK-UDP term 1 then discard
Network Segmentation
allIsolate vulnerable devices in protected network segments with strict ingress filtering
# Configure interface ACLs to restrict traffic
# set interfaces interface-name unit 0 family inet filter input BLOCK-UDP
🧯 If You Can't Patch
- Implement strict network access controls to limit UDP traffic to vulnerable devices
- Deploy intrusion prevention systems to detect and block malicious UDP packet patterns
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and compare against affected versions. Check if device is ACX7024, ACX7100-32C, or ACX7100-48L running Junos OS Evolved.Check Version:
show versionVerify Fix Applied:
After patching, verify version is at or above fixed versions: 21.4R3-S6-EVO, 22.1R3-S5-EVO, 22.2R2-S1-EVO, 22.2R3-EVO, or 22.3R2-EVO.📡 Detection & Monitoring
Log Indicators:
- Packetio process crashes
- Routing Engine restarts
- Unexpected service interruptions
- High frequency of UDP packet drops
Network Indicators:
- Unusual UDP traffic patterns to ACX devices
- Increased UDP packet volume from single sources
- Traffic spikes followed by service degradation
SIEM Query:
source="juniper-firewall" AND ("packetio crash" OR "RE restart" OR "denial of service")