CVE-2024-47489
📋 TL;DR
An unauthenticated attacker can send specific transit protocol traffic to Juniper ACX Series devices running vulnerable Junos OS Evolved versions, causing DDoS protection queue exhaustion. This leads to protocol flaps and partial denial of service affecting downstream devices. The vulnerability affects both IPv4 and IPv6 traffic and doesn't require any specific routing protocol configuration.
💻 Affected Systems
- Juniper Networks Junos OS Evolved on ACX Series devices
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained attack causes complete protocol disruption, affecting connectivity to multiple downstream networking devices and potentially cascading network outages.
Likely Case
Partial denial of service with protocol flaps, intermittent connectivity issues, and degraded network performance for downstream devices.
If Mitigated
With proper monitoring and rate limiting, impact is limited to temporary protocol flaps with minimal service disruption.
🎯 Exploit Status
Attack requires sending specific transit protocol packets but details are not publicly disclosed. Network-based attack doesn't require authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.4R3-S8-EVO, 22.2R3-S4-EVO, 22.3R3-S4-EVO, 22.4R3-S3-EVO, 23.2R2-EVO, 23.4R1-S1-EVO, 24.2R2-EVO or later
Vendor Advisory: https://supportportal.juniper.net/
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Juniper support portal. 3. Follow Juniper upgrade procedures for Junos OS Evolved. 4. Reboot device after upgrade.
🔧 Temporary Workarounds
Monitor DDoS Protection Queues
allRegularly monitor DDoS protection queue status to detect potential attacks early
labuser@re0> show evo-pfemand host pkt-stats
labuser@re0> show host-path ddos all-policers
🧯 If You Can't Patch
- Implement network segmentation to isolate ACX Series devices from untrusted networks
- Deploy rate limiting and traffic filtering to block suspicious transit protocol traffic
🔍 How to Verify
Check if Vulnerable:
Run 'show version' and compare against affected version ranges. Check if device is ACX Series running Junos OS Evolved.Check Version:
show versionVerify Fix Applied:
After patching, verify version is updated to fixed version with 'show version'. Monitor DDoS queues for abnormal activity.📡 Detection & Monitoring
Log Indicators:
- DDoS protection violations in system logs
- Protocol flaps and routing instability events
- High packet drop rates in pfe statistics
Network Indicators:
- Unusual transit protocol traffic spikes
- Increased protocol adjacency changes
- Connectivity issues to downstream devices
SIEM Query:
Search for 'DDoS protection violation' OR 'protocol flap' OR 'pfe queue full' in Juniper device logs