CVE-2024-21604
📋 TL;DR
An unauthenticated network attacker can cause a complete and persistent system outage on Juniper Junos OS Evolved by sending a high rate of specific valid packets that exhaust kernel connection tracking resources. This affects Junos OS Evolved across multiple version branches, leading to routing engine connectivity loss and denial of service.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete and persistent system outage where the routing engine loses connectivity with all chassis components, requiring physical intervention or reboot to restore service.
Likely Case
Denial of service causing network connectivity loss and service disruption until system is rebooted or packets are filtered.
If Mitigated
Minimal impact if proper lo0 firewall filters are implemented to block or limit the specific packets triggering the resource exhaustion.
🎯 Exploit Status
Attack requires sending high volumes of specific valid packets but doesn't require authentication or special privileges. The exact packet types are not publicly disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.4R3-S7-EVO, 21.4R3-S5-EVO, 22.1R3-S2-EVO, 22.2R3-EVO, 22.3R2-EVO, 22.4R2-EVO and later versions
Vendor Advisory: https://supportportal.juniper.net/JSA75745
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support portal. 3. Follow Juniper upgrade procedures for Junos OS Evolved. 4. Reboot system after upgrade completion.
🔧 Temporary Workarounds
Implement lo0 Firewall Filter
allConfigure a carefully designed firewall filter on the loopback interface (lo0) to block or limit the specific packets that trigger the resource exhaustion
Configure firewall filter on lo0 interface per Juniper documentation
Apply filter to lo0 interface with 'set interfaces lo0 unit 0 family inet filter input FILTER_NAME'
🧯 If You Can't Patch
- Implement strict lo0 firewall filtering to block or rate-limit suspicious traffic
- Implement network segmentation and access controls to limit who can send traffic to routing engine interfaces
🔍 How to Verify
Check if Vulnerable:
Check current Junos OS Evolved version with 'show version' command and compare against affected version rangesCheck Version:
show versionVerify Fix Applied:
Verify version is patched with 'show version' and check for absence of 'nf_conntrack: table full, dropping packet' kernel messages📡 Detection & Monitoring
Log Indicators:
- kernel: nf_conntrack: nf_conntrack: table full, dropping packet
- Increased packet drop rates on lo0 interface
- Routing engine connectivity loss messages
Network Indicators:
- Unusual high-rate traffic to routing engine interfaces
- Sudden loss of routing protocol adjacencies
- Increased packet drops on management interfaces
SIEM Query:
source="junos" AND "nf_conntrack: table full" OR "dropping packet" AND "kernel"