CVE-2024-30407 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2024-30407?

CVE-2024-30407 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to perform undetectable Person-in-the-Middle attacks on SSH connections to Juniper containerized routing products due to hard-coded cryptographic keys. Attackers can intercept and manipulate SSH traffic, potentially leading to complete container compromise. This affects all versions of Juniper Cloud Native Router (JCNR) before 23.4 and containerized routing Protocol Daemon (cRPD) before 23.4R1.

📋 TL;DR

This vulnerability allows attackers to perform undetectable Person-in-the-Middle attacks on SSH connections to Juniper containerized routing products due to hard-coded cryptographic keys. Attackers can intercept and manipulate SSH traffic, potentially leading to complete container compromise. This affects all versions of Juniper Cloud Native Router (JCNR) before 23.4 and containerized routing Protocol Daemon (cRPD) before 23.4R1.

💻 Affected Systems

Products:

Juniper Cloud Native Router (JCNR)
containerized routing Protocol Daemon (cRPD)

Versions: All versions before 23.4 for JCNR, all versions before 23.4R1 for cRPD

Operating Systems: Containerized environments

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using default SSH host key configurations in these containerized products.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of containerized routing infrastructure, allowing attackers to intercept all SSH traffic, inject malicious commands, steal credentials, and pivot to other network segments.

🟠

Likely Case

Unauthorized access to container management interfaces, credential theft, and potential lateral movement within the container environment.

🟢

If Mitigated

Limited impact if SSH access is restricted through network segmentation and additional authentication controls, though the fundamental vulnerability remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires network access to intercept SSH traffic but uses well-understood PitM techniques once that access is achieved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: JCNR 23.4 and later, cRPD 23.4R1 and later

Vendor Advisory: https://supportportal.juniper.net/JSA79106

Restart Required: Yes

Instructions:

1. Download and install JCNR 23.4+ or cRPD 23.4R1+ from Juniper support portal. 2. Deploy updated container images. 3. Restart affected containers. 4. Verify SSH host keys are now unique per deployment.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict SSH access to container management interfaces using network controls

SSH Key Replacement

linux

Manually replace hard-coded SSH host keys with unique keys

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
systemctl restart sshd

🧯 If You Can't Patch

Implement strict network segmentation to isolate container management interfaces from untrusted networks
Deploy additional SSH authentication controls like certificate-based authentication or multi-factor authentication

🔍 How to Verify

Check if Vulnerable:

Check container version: For JCNR, verify version is below 23.4. For cRPD, verify version is below 23.4R1. Also check if SSH host keys match known hard-coded values.

Check Version:

docker inspect <container_name> | grep -i version

Verify Fix Applied:

Verify container version is JCNR 23.4+ or cRPD 23.4R1+. Confirm SSH host keys are unique by comparing with known hard-coded keys from advisory.

📡 Detection & Monitoring

Log Indicators:

Unexpected SSH connection attempts to container management interfaces
SSH host key mismatch warnings in client logs
Multiple failed SSH authentication attempts

Network Indicators:

Unusual SSH traffic patterns to container ports
SSH connections from unexpected source IPs
SSH protocol anomalies

SIEM Query:

source="ssh_logs" AND ("Host key verification failed" OR "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED") AND dest_ip IN (container_management_ips)

📊 Metadata

CVE ID: CVE-2024-30407

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

Published: April 12, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-30407, you might also want to check these: