CVE-2024-39531
📋 TL;DR
An improper handling of values vulnerability in Juniper's Packet Forwarding Engine allows unauthenticated network attackers to cause denial-of-service. When DDoS bandwidth/burst parameters are configured for one protocol, all protocols sharing the same queue inherit those values, potentially making control plane traffic vulnerable to volumetric attacks. This affects Junos OS Evolved on ACX 7000 Series routers.
💻 Affected Systems
- Juniper Networks ACX 7000 Series routers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete control plane disruption through volumetric DoS attacks, rendering the router inoperable and causing network-wide outages.
Likely Case
Degraded routing protocol performance leading to network instability, packet loss, and intermittent connectivity issues.
If Mitigated
Limited impact if proper traffic segmentation and monitoring are in place, though configuration errors could still cause issues.
🎯 Exploit Status
Exploitation requires knowledge of which protocols share queues and their configured bandwidth limits. Attackers can probe for vulnerable configurations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.4R3-S7-EVO, 22.1R3-S6-EVO, 22.2R3-S3-EVO, 22.3R3-S3-EVO, 22.4R3-S2-EVO, 23.2R2-EVO, 23.4R1-S1-EVO, 23.4R2-EVO
Vendor Advisory: https://supportportal.juniper.net/JSA82991
Restart Required: Yes
Instructions:
1. Download appropriate patched version from Juniper support portal. 2. Backup current configuration. 3. Install update via CLI or J-Web interface. 4. Reboot device to apply changes. 5. Verify version and configuration.
🔧 Temporary Workarounds
Remove DDoS bandwidth configurations
allTemporarily remove DDoS bandwidth and burst parameter configurations from all protocols to eliminate the vulnerability.
delete class-of-service traffic-control-profiles <profile-name> shaping-rate
delete class-of-service traffic-control-profiles <profile-name> burst-size
Isolate protocol queues
allConfigure separate queues for different protocols to prevent cross-protocol bandwidth inheritance.
set class-of-service forwarding-classes queue <queue-number> protocol <protocol-name>
set class-of-service traffic-control-profiles <profile-name> forwarding-class <class-name>
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to ACX 7000 management interfaces
- Deploy DDoS protection appliances upstream to filter malicious traffic before it reaches vulnerable routers
🔍 How to Verify
Check if Vulnerable:
Check if DDoS bandwidth/burst parameters are configured for any protocol: 'show configuration class-of-service traffic-control-profiles | display set' and look for shaping-rate or burst-size settings.Check Version:
show version | match JunosVerify Fix Applied:
Verify running version is patched: 'show version' and check against fixed versions. Also verify DDoS configurations are properly isolated.📡 Detection & Monitoring
Log Indicators:
- Increased control plane protocol errors (OSPF/ISIS adjacency flaps)
- High CPU utilization on PFE
- Traffic shaping/dropping alerts in system logs
Network Indicators:
- Unusual traffic patterns targeting control plane protocols
- Increased packet loss on routing protocols
- Protocol timeouts and retransmissions
SIEM Query:
source="junos" AND ("PFE" OR "control-plane") AND ("error" OR "drop" OR "flap") AND ("OSPF" OR "ISIS" OR "BGP")