Critical Vulnerabilities for Juniper Devices
Date of Notice: 04/16/2024
Action Level - Critical
Description
A critical security vulnerability, CVE-2024-21591, has been identified in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series devices. This Out-of-bounds Write issue can allow an unauthenticated, network-based attacker to execute arbitrary code with root privileges, potentially leading to Denial of Service (DoS) or Remote Code Execution (RCE).
Affected Devices
The vulnerability impacts all versions of Junos OS on SRX Series and EX Series, specifically:
Junos OS versions prior to 20.4R3-S9
Junos OS 21.2 versions prior to 21.2R3-S7
Junos OS 21.3 versions prior to 21.3R3-S5
Junos OS 21.4 versions prior to 21.4R3-S5
Junos OS 22.1 versions prior to 22.1R3-S4
Junos OS 22.2 versions prior to 22.2R3-S3
Junos OS 22.3 versions prior to 22.3R3-S2
Junos OS 22.4 versions prior to 22.4R2-S2, 22.4R3
Attack Vector
The vulnerability can be exploited remotely via network access if the affected device has J-Web enabled via HTTP or HTTPS.
Attack Feasibility
Given the critical nature of this vulnerability and its network-based attack vector, the risk of exploitation is considered high, though no current malicious use has been reported.
Mitigations
Administrators are advised to temporarily mitigate the risk by disabling J-Web or restricting its access to trusted hosts only.
Remediation
Juniper Networks has released software updates that resolve this vulnerability in the following Junos OS versions:
20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1 and all subsequent releases.
Users are urged to update affected systems immediately to the latest supported version to prevent potential exploits.
Resources