CVE-2024-47495
📋 TL;DR
An authorization bypass vulnerability in Juniper Junos OS Evolved allows locally authenticated attackers with shell access to gain full device control when Dual Routing Engines are configured. This affects Juniper Networks Junos OS Evolved devices with dual-REs across multiple versions. The vulnerability does not affect standard Junos OS.
💻 Affected Systems
- Juniper Networks Junos OS Evolved
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local shell access can bypass authorization controls and gain full administrative control of the device, potentially compromising network infrastructure and data.
Likely Case
Malicious insiders or attackers who have gained initial foothold through other means can escalate privileges to take complete control of affected Juniper devices.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized users who would need to bypass additional security layers.
🎯 Exploit Status
Requires local shell access and dual-RE configuration. The vulnerability is an authorization bypass through user-controlled key.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.2R3-S8-EVO, 21.4R3-S8-EVO, 22.2R3-S4-EVO, 22.3R3-S4-EVO, 22.4R3-S3-EVO, 23.2R2-S1-EVO, 23.4R2-S1-EVO or later
Vendor Advisory: https://kb.juniper.net/JSA88122
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate patch from Juniper support. 3. Apply patch following Juniper upgrade procedures. 4. Reboot device to complete installation.
🔧 Temporary Workarounds
Disable Dual RE Configuration
allRemove dual routing engine configuration if not required for redundancy
configure
delete chassis redundancy
commit
Restrict Shell Access
allLimit shell access to only trusted administrators
configure
set system login user [username] class super-user
commit
🧯 If You Can't Patch
- Implement strict access controls to limit who has shell access to devices
- Monitor for unusual administrative activity and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if device has dual-RE configuration with 'show chassis hardware' and verify version is in affected range with 'show version'Check Version:
show versionVerify Fix Applied:
Verify version is patched with 'show version' and check that authorization controls are functioning properly📡 Detection & Monitoring
Log Indicators:
- Unauthorized privilege escalation attempts
- Unexpected administrative access from non-privileged users
- Changes to authorization configurations
Network Indicators:
- Unexpected administrative connections to devices
- Changes in routing behavior without authorization
SIEM Query:
source="juniper-firewall" AND (event_type="privilege_escalation" OR user="*" AND action="admin_access")