CVE-2024-47499

Oct 12, 2024

Published Date: 2024-10-11T16:15:10.850
Last Modified: 2024-10-11T16:15:10.850

CVSS Score: 7.5 (HIGH)

EPSS Score: 0.05%

Risk Score: 5.25 (HIGH)

Risk Score based on CVSS score and EPSS. This score is for reference purposes and is not internationally recognized.

Meter Needle
CVSS: 7.5  |  EPSS: 0.05%
NVD Links:

Description: An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network based attacker to cause a Denial of Service (DoS). 

In a scenario where BGP Monitoring Protocol (BMP) is configured with rib-in pre-policy monitoring, receiving a BGP update with a specifically malformed AS PATH attribute over an established BGP session, can cause an RPD crash and restart.

This issue affects:

Junos OS: 

* All versions before 21.2R3-S8,
* 21.4 versions before 21.4R3-S8,
* 22.2 versions before 22.2R3-S4,
* 22.3 versions before 22.3R3-S3,
* 22.4 versions before 22.4R3-S2,
* 23.2 versions before 23.2R2-S1,
* 23.4 versions before 23.4R1-S2, 23.4R2;

Junos OS Evolved:

* All versions before 21.2R3-S8-EVO,
* 21.4 versions before 21.4R3-S8-EVO,
* 22.2 versions before 22.2R3-S4-EVO,
* 22.3 versions before 22.3R3-S3-EVO,
* 22.4 versions before 22.4R3-S2-EVO,
* 23.2 versions before 23.2R2-S1-EVO,
* 23.4 versions before 23.4R1-S2-EVO, 23.4R2-EVO.

Mitre ATT&CK Technical v15.1

T1053.002 – At

Technical Analysis & Mitigation Measures

1. Technical Attack Analysis:
– Attack Techniques :
– Denial of Service (DoS) : The vulnerability allows an unauthenticated attacker to send a specifically malformed BGP update that can cause the Routing Protocol Daemon (RPD) to crash, leading to service interruption.
– Exploitation of BGP Protocol : The attack targets the BGP monitoring capabilities by exploiting improper checks for unusual conditions in the AS PATH attribute, which is a critical component of BGP routing.
– Network-Based Attack : Since the attack is network-based and unauthenticated, it can be executed remotely without requiring access to the internal network or authenticated user privileges.

– Possible Outcomes of Exploitation :
– Service Interruptions : Repeated exploitation can lead to continuous RPD crashes, causing disruptions in routing and network service availability.
– Network Instability : Crashing the RPD can lead to routing table inconsistencies and potential network loops, affecting multiple devices and potentially leading to broader network outages.
– Increased Operational Costs : Recovery from DoS attacks can incur significant operational costs, including troubleshooting and restoring services.
– Loss of Trust : Continuous disruptions can lead to a loss of trust from customers and stakeholders in the reliability of the network.

2. Mitigation Measures:
– Apply the latest patches from Juniper Networks for affected versions.
– Configure BGP to reject malformed updates or implement strict validation checks on AS PATH attributes.
– Disable BGP Monitoring Protocol (BMP) if not required for your network operations.
– Implement rate limiting on BGP session updates to mitigate potential abuse.
– Monitor BGP sessions for unusual traffic patterns or unexpected updates.
– Use access control lists (ACLs) to limit which devices can send BGP updates to your routers.
– Regularly review and audit BGP configurations to ensure compliance with security best practices.
– Set up alerting and logging for BGP-related events to facilitate quick detection and response to exploitation attempts.

The content above is generated by AI. Please review and consider carefully before applying!

Reference Links

Vendor - Produce - Version

None

Disclaimer

The content on this website is automatically sourced from external websites such as the National Vulnerability Database (NVD), GitHub, and other security-related sources. This content is for reference purposes only, and we are not responsible for the accuracy or integrity of the information linked or displayed from these sources.