CVE-2024-47490

Oct 12, 2024

Published Date: 2024-10-11T16:15:08.803
Last Modified: 2024-10-11T16:15:08.803

CVSS Score: 8.2 (HIGH)

EPSS Score: 0.05%

Risk Score: 5.74 (HIGH)

Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.

Meter Needle
CVSS: 8.2  |  EPSS: 0.05%
NVD Links:

Description: An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS Evolved on ACX 7000 Series allows an unauthenticated, network based attacker to cause increased consumption of resources, ultimately resulting in a Denial of Service (DoS).

When specific transit MPLS packets are received by the PFE, these packets are internally forwarded to the Routing Engine (RE), rather than being handled appropriately. Continuous receipt of these MPLS packets causes resources to be exhausted. MPLS config is not required to be affected by this issue. 

This issue affects Junos OS Evolved ACX 7000 Series: 

* All versions before 21.4R3-S9-EVO,
* 22.2-EVO before 22.2R3-S4-EVO, 
* 22.3-EVO before 22.3R3-S3-EVO, 
* 22.4-EVO before 22.4R3-S2-EVO, 
* 23.2-EVO before 23.2R2-EVO, 
* 23.4-EVO before 23.4R1-S1-EVO, 23.4R2-EVO.

Mitre ATT&CK Technical v15.1

T1153 – Source
T1053.002 – At

Technical Analysis & Mitigation Measures

1. Technical Attack Analysis:
– Attack Techniques :
– T1153 – Source : This technique involves the exploitation of improper restrictions that allow network-based attackers to send specially crafted MPLS packets to the Packet Forwarding Engine (PFE). The vulnerability permits attackers to bypass authentication and directly interact with the affected component, leading to unrestrained resource consumption.
– T1053.002 – At : This technique refers to the ability of attackers to leverage scheduled tasks or processes to repeatedly send the malicious MPLS packets, thereby sustaining the attack without manual intervention, which can exacerbate the resource exhaustion leading to a Denial of Service (DoS) condition.

– Possible Outcomes of Exploitation :
– Resource exhaustion on the Packet Forwarding Engine, leading to degraded performance or complete unavailability of the network services.
– Potential impact on network reliability and availability, affecting all devices and services relying on the affected Junos OS Evolved implementation.
– Increased operational costs due to the need for incident response, recovery, and potential hardware upgrades or replacements.
– Risk of secondary attacks or exploitation if the network becomes unstable or if attackers gain further footholds within the system during the DoS condition.

2. Mitigation Measures:
– Upgrade to Junos OS Evolved version 21.4R3-S9-EVO or later.
– Upgrade to Junos OS Evolved version 22.2R3-S4-EVO or later.
– Upgrade to Junos OS Evolved version 22.3R3-S3-EVO or later.
– Upgrade to Junos OS Evolved version 22.4R3-S2-EVO or later.
– Upgrade to Junos OS Evolved version 23.2R2-EVO or later.
– Upgrade to Junos OS Evolved version 23.4R1-S1-EVO or later.
– Implement network segmentation to limit exposure of the vulnerable components.
– Apply rate limiting on incoming MPLS packets to mitigate the impact of potential DoS attacks.
– Monitor network traffic for unusual patterns that may indicate exploitation attempts.
– Conduct regular vulnerability assessments and penetration testing to identify and remediate potential weaknesses.

The content above is generated by AI. Please review and consider carefully before applying!

Reference Links

Vendor - Produce - Version

None

Disclaimer

The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.