Vulnerabilities

A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS).<br /> <br /> When the device receives a specific BGP UPDATE packet, the rpd crashes and restarts. Continuous receipt of this specific packet will cause a sustained DoS condition.<br /> <br /> For the issue to occur, BGP multipath with "pause-computation-during-churn" must be configured on the device, and the attacker must send the paths via a BGP UPDATE from a established BGP peer.<br /> <br /> This issue affects:<br /> Junos OS: <br /> * All versions before 21.4R3-S7, <br /> * from 22.3 before 22.3R3-S3, <br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2, <br /> * from 23.4 before 23.4R2.<br /> <br /> <br /> <br /> Junos OS Evolved: <br /> * All versions before 21.4R3-S7-EVO, <br /> * from 22.3 before 22.3R3-S3-EVO, <br /> * from 22.4 before 22.4R3-S5-EVO, <br /> * from 23.2 before 23.2R2-EVO, <br /> * from 23.4 before 23.4R2-EVO.

An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause a memory corruption that leads to a rpd crash. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> When<br /> the logical interface using a routing instance flaps continuously, specific updates are sent to the jflow/sflow modules. This results in memory corruption, leading to an rpd crash and restart. <br /> <br /> <br /> Continued receipt of these specific updates will cause a sustained Denial of Service condition.<br /> <br /> <br /> This issue affects Junos OS:<br /> <br /> * All versions before 21.2R3-S9, <br /> * All versions of 21.4, <br /> * All versions of 22.2, <br /> * from 22.4 before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S4, <br /> * from 24.2 before 24.2R2.<br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions of 21.2-EVO, <br /> * All versions of 21.4-EVO, <br /> * All versions of 22.2-EVO, <br /> * from 22.4 before 22.4R3-S7-EVO, <br /> * from 23.2 before 23.2R2-S3-EVO, <br /> * from 23.4 before 23.4R2-S4-EVO, <br /> * from 24.2 before 24.2R2-EVO.

An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an interface, leading to a Denial of Service (DoS).<br /> <br /> On ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when &amp;#39;hot-standby&amp;#39; mode is configured for the L2 circuit.<br /> <br /> This issue affects Junos OS on ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9.

An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system to crash and restart.<br /> <br /> BPF provides a raw interface to data link layers in a protocol independent fashion. Internally within the Junos kernel, due to a rare timing issue (race condition), when a BPF instance is cloned, the newly created interface causes an internal structure leakage, leading to a system crash. The precise content and timing of the traffic patterns is indeterminate, but has been seen in a lab environment multiple times.<br /> <br /> This issue is more likely to occur when packet capturing is enabled.  See required configuration below.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S10, <br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S3, <br /> * from 24.2 before 24.2R1-S1, 24.2R2.

An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> Only systems configured for Ethernet Virtual Private Networking (EVPN) signaling are vulnerable to this issue. <br /> <br /> This issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.This issue affects:<br /> <br /> Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.4R3-S11, <br /> * from 22.2 before 22.2R3-S7, <br /> * from 22.4 before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S1, <br /> * from 24.4 before 24.4R1-S3, 24.4R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * all versions before 22.2R3-S7-EVO, <br /> * from 22.4-EVO before 22.4R3-S7-EVO, <br /> * from 23.2-EVO before 23.2R2-S4-EVO, <br /> * from 23.4-EVO before 23.4R2-S5-EVO, <br /> * from 24.2-EVO before 24.2R2-S1-EVO, <br /> * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO.

A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface.<br /> <br /> Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user&amp;#39;s authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices.<br /> <br /> <br /> <br /> This issue affects Security Director version 24.4.1.

An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS).<br /> <br /> Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.<br /> <br /> This issue affects Juniper Networks:<br /> Junos OS:<br /> * All versions before 22.2R3-S1,<br /> * from 22.4 before 22.4R2.<br /> <br /> <br /> This feature is not enabled by default.

A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface.<br /> <br /> Due to an issue with Junos OS kernel filter processing, the &amp;#39;payload-protocol&amp;#39; match is not being supported, causing any term containing it to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an &amp;#39;accept&amp;#39; for all traffic on the interface destined for the control plane, even when used in combination with other match criteria.<br /> <br /> This issue only affects firewall filters protecting the device&amp;#39;s control plane. Transit firewall filtering is unaffected by this vulnerability.<br /> <br /> This issue affects Junos OS: <br /> <br /> <br /> <br /> * all versions before 21.2R3-S9, <br /> * from 21.4 before 21.4R3-S11, <br /> * from 22.2 before 22.2R3-S7, <br /> * from 22.4 before 22.4R3-S7, <br /> * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S1, <br /> * from 24.4 before 24.4R1-S2, 24.4R2.<br /> <br /> <br /> <br /> This is a more complete fix for previously published CVE-2024-21607 (JSA75748).

An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation.<br /> <br /> A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system.<br /> <br /> This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C.<br /> <br /> This issue affects Junos OS: * from 23.2 before 23.2R2-S4, <br /> * from 23.4 before 23.4R2-S5, <br /> * from 24.2 before 24.2R2-S1, <br /> * from 24.4 before 24.4R1-S3, 24.4R2.<br /> <br /> <br /> <br /> <br /> <br /> <br /> This issue does not affect versions prior to 23.1R2.

A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition.<br /> <br /> On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled.<br /> <br /> This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue.<br /> <br /> <br /> <br /> This issue affects:<br /> <br />  Junos OS:<br /> <br /> <br /> <br /> * All versions before 21.2R3-S9, <br /> * all versions of 21.4,<br /> * from 22.2 before 22.2R3-S6, <br /> * from 22.4 before 22.4R3-S5, <br /> * from 23.2 before 23.2R2-S3, <br /> * from 23.4 before 23.4R2-S4, <br /> * from 24.2 before 24.2R2; <br /> <br /> <br /> <br /> <br /> Junos OS Evolved: <br /> <br /> <br /> <br /> * All versions before 22.4R3-S5-EVO, <br /> * from 23.2-EVO before 23.2R2-S3-EVO, <br /> * from 23.4-EVO before 23.4R2-S4-EVO, <br /> * from 24.2-EVO before 24.2R2-EVO.<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> This is a more complete fix for previously published CVE-2024-39549 (JSA83011).

A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges.

Uncontrolled Recursion vulnerability in Apache Commons Lang.<br /> <br /> This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.<br /> <br /> The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a <br /> StackOverflowError could cause an application to stop.<br /> <br /> Users are recommended to upgrade to version 3.18.0, which fixes the issue.