CVE-2024-39538
📋 TL;DR
An unauthenticated adjacent attacker can cause a Denial-of-Service (DoS) on Juniper ACX7000 Series routers by sending specific multicast traffic that triggers a buffer overflow in the PFE management daemon. This crashes the evo-pfemand process, requiring manual recovery of the affected FPC. Only Junos OS Evolved on ACX7000 Series routers running vulnerable versions are affected.
💻 Affected Systems
- Juniper Networks ACX7000 Series routers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete outage of the affected FPC (Forwarding Plane Card) requiring manual intervention to restore functionality, potentially disrupting network services until recovery.
Likely Case
Local network attacker causes targeted DoS against ACX7000 routers, requiring manual reboot/recovery of affected FPCs.
If Mitigated
With proper network segmentation and access controls, risk is limited to authorized adjacent devices only.
🎯 Exploit Status
Exploitation requires sending specific multicast traffic patterns that trigger the buffer overflow.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.2R3-S8-EVO, 21.4R3-S7-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S2-EVO, 23.2R2-EVO, 23.4R1-S2-EVO, or later versions
Vendor Advisory: https://supportportal.juniper.net/JSA82998
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support. 3. Follow Juniper upgrade procedures for Junos OS Evolved. 4. Reboot device after upgrade.
🔧 Temporary Workarounds
Multicast Traffic Filtering
allBlock or filter multicast traffic from untrusted adjacent networks to prevent exploitation.
Configure ACLs or firewall rules to restrict multicast traffic from unauthorized sources
Network Segmentation
allIsolate ACX7000 routers from untrusted adjacent networks to limit attack surface.
Implement VLAN segmentation, private VLANs, or network access controls
🧯 If You Can't Patch
- Implement strict network segmentation to limit adjacent access to ACX7000 routers
- Deploy network monitoring to detect and alert on suspicious multicast traffic patterns
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and compare against affected version ranges listed in advisoryCheck Version:
show version | match JunosVerify Fix Applied:
After upgrade, verify version is at or above patched versions and monitor evo-pfemand process stability📡 Detection & Monitoring
Log Indicators:
- evo-pfemand process crashes
- FPC outage alerts
- Multicast traffic spikes from adjacent sources
Network Indicators:
- Unusual multicast traffic patterns targeting ACX7000 routers
- Traffic with specific (S,G) parameters
SIEM Query:
Search for 'evo-pfemand crash' or 'FPC outage' in Juniper system logs