04.16.2024

Critical Vulnerabilities for Juniper Devices

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 04/16/2024

Action Level - Critical

Description

A critical security vulnerability, CVE-2024-21591, has been identified in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series devices. This Out-of-bounds Write issue can allow an unauthenticated, network-based attacker to execute arbitrary code with root privileges, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE).

Affected Devices

The vulnerability impacts all versions of Junos OS on SRX Series and EX Series, specifically:

Junos OS versions prior to 20.4R3-S9

Junos OS 21.2 versions prior to 21.2R3-S7

Junos OS 21.3 versions prior to 21.3R3-S5

Junos OS 21.4 versions prior to 21.4R3-S5

Junos OS 22.1 versions prior to 22.1R3-S4

Junos OS 22.2 versions prior to 22.2R3-S3

Junos OS 22.3 versions prior to 22.3R3-S2

Junos OS 22.4 versions prior to 22.4R2-S2, 22.4R3

Attack Vector

The vulnerability can be exploited remotely via network access if the affected device has J-Web enabled via HTTP or HTTPS.

Attack Feasibility

Given the critical nature of this vulnerability and its network-based attack vector, the risk of exploitation is considered high, though no current malicious use has been reported.

Mitigations

Administrators are advised to temporarily mitigate the risk by disabling J-Web or restricting its access to trusted hosts only.

Remediation

Juniper Networks has released software updates that resolve this vulnerability in the following Junos OS versions:

20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1 and all subsequent releases.

Users are urged to update affected systems immediately to the latest supported version to prevent potential exploits.

Resources

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC