CVE-2024-39513
📋 TL;DR
A local privilege escalation vulnerability in Juniper Junos OS Evolved allows low-privileged users to crash the Packet Forwarding Engine by running a specific 'clear' command, causing denial of service for all traffic through affected FPCs. Repeated exploitation can sustain the DoS condition. This affects multiple Junos OS Evolved versions across various release trains.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained network outage affecting all traffic through affected FPCs, requiring manual intervention to restore service.
Likely Case
Temporary traffic disruption during PFE restart, with potential for repeated attacks causing extended downtime.
If Mitigated
Limited impact if proper access controls prevent low-privileged users from executing the vulnerable command.
🎯 Exploit Status
Exploitation requires local access and knowledge of the specific 'clear' command. No authentication bypass needed as low-privileged users can trigger it.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.4R3-S9-EVO, 21.2R3-S7-EVO, 21.3R3-S5-EVO, 21.4R3-S6-EVO, 22.1R3-S4-EVO, 22.2R3-S3-EVO, 22.3R3-S3-EVO, 22.4R3-EVO, 23.2R2-EVO and later
Vendor Advisory: https://supportportal.juniper.net/JSA82978
Restart Required: Yes
Instructions:
1. Identify affected devices using 'show version' command. 2. Download appropriate fixed version from Juniper support portal. 3. Schedule maintenance window. 4. Install update using standard Junos upgrade procedures. 5. Reboot device to activate new version.
🔧 Temporary Workarounds
Restrict command execution
allLimit access to the specific 'clear' command using Junos role-based access control (RBAC)
set system login class <class-name> deny-commands "clear <specific-command>"
commit
🧯 If You Can't Patch
- Implement strict RBAC to prevent low-privileged users from executing any 'clear' commands
- Monitor for PFE crashes and evo-aftmand process restarts in system logs
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and compare against affected version ranges. Check if evo-aftmand processes are running.Check Version:
show versionVerify Fix Applied:
After patching, verify version is at or above fixed versions. Attempt to run the specific 'clear' command (in controlled environment) to confirm it no longer crashes PFE.📡 Detection & Monitoring
Log Indicators:
- PFE crash logs
- evo-aftmand process restart messages
- Unexpected traffic drops through FPCs
Network Indicators:
- Sudden traffic loss through specific FPCs
- Increased packet loss on interfaces
SIEM Query:
source="junos" AND ("PFE crash" OR "evo-aftmand" AND restart) OR ("clear" command executed by low-privileged user)