CVE-2024-21591: Critical RCE Vulnerability Uncovered in Juniper SRX Firewalls and EX Switches

HawkEye Managed CSOC

Junos OS simplifies and fine-tunes network operations, increasing operational efficiency and vital time and resources for top-line growth. Many of the world’s most advanced network deployments run on Junos OS, known for its dependability, security, and adaptability.

Background:

The Juniper Network Operating System SRX and EX Series are subject to an out-of-bounds write vulnerability. The vulnerability, tracked as CVE-2024-21591, has a critical severity rating and a CVSS score of 9.8. Successful exploitation of the vulnerability may allow an attacker to cause a Denial of Service. The vulnerability exists because of an unsafe function that could allow an attacker to overwrite arbitrary memory. In some situations, effective exploitation may lead to remote code execution and an attacker gaining root access to the device.

Juniper stated in the advisory that they have found no evidence of a hostile attempt to exploit this vulnerability. According to Shodan, more than 9,000 Juniper devices have their J-Web interfaces accessible to the internet.

Affected Versions:

This vulnerability affects Juniper Networks Junos OS SRX Series and EX Series:

● Junos OS versions earlier than 20.4R3-S9
● Junos OS 21.2 versions earlier than 21.2R3-S7
● Junos OS 21.3 versions earlier than 21.3R3-S5
● Junos OS 21.4 versions earlier than 21.4R3-S5
● Junos OS 22.1 versions earlier than 22.1R3-S4
● Junos OS 22.2 versions earlier than 22.2R3-S3
● Junos OS 22.3 versions earlier than 22.3R3-S2
● Junos OS 22.4 versions earlier than 22.4R2-S2, 22.4R3

Mitigation:

Juniper Networks has released patches for the affected Junos OS versions. Admins are strongly advised to promptly update their instances to versions 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, or later.

top-10-countries-censys

Fig. Top 10 countries running exposed J-Web interfaces (Source: Censys)

Currently, there are approximately 10,000 exposed J-Web interfaces online, primarily in Asia (South Korea, Hong Kong, China) and the United States. These interfaces are typically available on conventional HTTP ports 443, 8080, and 80. So far, Juniper is unaware of any attacks leveraging CVE-2024-21591. Juniper strongly encourages organizations to patch as soon as feasible.

Workaround:

If organizations are unable to roll out patches immediately, Juniper recommends to turn off the J-Web interface or restrict access to trusted hosts only.

CVE-2024-21611:

In addition to the significant RCE vulnerability, Juniper Networks resolved a high-severity vulnerability, CVE-2024-21611, with a CVSS score of 7.5, which affected Junos OS and Junos OS Evolved. An unauthenticated network-based attacker can exploit a Memory Release Deficiency following Effective Lifetime in Juniper Networks Junos OS and Junos OS Evolved, affecting the Routing Protocol Daemon (rpd), leading to a Denial of Service (DoS). In Juniper Flow Monitoring (jflow) situations, the constant updating of BGP next hops due to route churn results in a gradual memory leak, ultimately causing rpd to crash and restart.

Mitigation:

While there is no evidence of exploitation in the wild, the company recommended that customers implement the necessary updates as soon as possible. The vulnerabilities affect several Junos OS versions, and solutions have been provided in releases ranging from 20.4R3-S9 to 23.4R1 and later.

Workaround:

While not a solution, it is recommended to proactively observe memory usage. When it reaches 85% of the total RE memory, either restart the rpd or reboot the system.

References:

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Security-Vulnerability-in-J-web-allows-a-preAuth-Remote-Code-Execution-CVE-2024-21591

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-In-a-jflow-scenario-continuous-route-churn-will-cause-a-memory-leak-and-eventually-an-rpd-crash-CVE-2024-21611

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2024 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment