CVE-2024-39559
📋 TL;DR
This vulnerability allows a network-based attacker to crash Juniper Junos OS Evolved devices by sending a specific TCP packet over an established TCP session with MD5 authentication enabled. Only affects dual RE systems with Nonstop Active Routing (NSR) enabled, and exploitation requires precise timing due to a race condition.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial of service causing device crashes (vmcore) and network disruption for affected systems.
Likely Case
Intermittent device crashes affecting availability of services running on vulnerable Juniper devices.
If Mitigated
No impact if systems are patched or don't meet specific configuration requirements (dual RE with NSR and MD5 authentication).
🎯 Exploit Status
Exploitation requires precise timing (race condition) and specific configuration (MD5 authentication on TCP sessions). Attacker does not need authentication but must have network access to affected ports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.2R3-S8-EVO, 21.4R3-S6-EVO, 22.1R3-S4-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R2-S2-EVO, or later versions
Vendor Advisory: https://supportportal.juniper.net/JSA83019
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate patch from Juniper support. 3. Apply patch following Juniper upgrade procedures. 4. Reboot device to complete installation.
🔧 Temporary Workarounds
Disable MD5 authentication on TCP sessions
allRemove MD5 authentication from BGP and other TCP sessions to prevent exploitation.
configure
delete protocols bgp group <group-name> authentication-md5
commit
Disable Nonstop Active Routing (NSR)
allTurn off NSR on dual RE systems to remove vulnerable condition.
configure
delete chassis redundancy graceful-switchover
commit
🧯 If You Can't Patch
- Implement workarounds to disable MD5 authentication on TCP sessions
- Apply network controls to restrict access to TCP ports with MD5 authentication
🔍 How to Verify
Check if Vulnerable:
Check if system is dual RE with NSR enabled and running affected Junos OS Evolved version with MD5 authentication on TCP sessions.Check Version:
show versionVerify Fix Applied:
Verify version is patched and check that MD5 authentication is disabled or NSR is disabled if workaround applied.📡 Detection & Monitoring
Log Indicators:
- Device crashes (vmcore) logs
- BGP session disruptions with MD5 authentication
- NSR state change events
Network Indicators:
- Unusual TCP packets to ports with MD5 authentication
- BGP session resets on vulnerable devices
SIEM Query:
source="juniper-firewall" AND (event="crash" OR event="vmcore" OR bgp_auth="md5" AND session_state="reset")