CVE-2024-21607 : Vulnerability Insights and Analysis
Unsupported feature in Junos OS allows network-based attacker to impact device integrity. Immediate actions and long-term practices for mitigation.
This CVE record involves an Unsupported Feature in the UI vulnerability in Juniper Networks Junos OS on MX Series and EX9200 Series that allows an unauthenticated, network-based attacker to cause partial impact to the integrity of the device.
Understanding CVE-2024-21607
This vulnerability arises from adding the "tcp-reset" option to the "reject" action in an IPv6 filter that matches on "payload-protocol," which leads to packets being accepted instead of rejected due to a flaw in the kernel filter.
What is CVE-2024-21607?
The Vulnerability allows an unauthenticated attacker to impact the device's integrity by bypassing IPv6 firewall filters on Juniper Networks Junos OS for MX Series and EX9200 Series.
The Impact of CVE-2024-21607
The issue results in accepted packets instead of rejected ones when a specific configuration is present, potentially causing security gaps and compromising the device's integrity.
Technical Details of CVE-2024-21607
This vulnerability affects systems running Junos OS versions earlier than 20.4R3-S7, 21.1R3-S5, 21.2R3-S5, 21.3R3-S4, 21.4R3-S4, 22.1R3-S2, 22.2R3-S2, 22.3R2-S2, 22.3R3, 22.4R1-S2, 22.4R2-S2, or 22.4R3.
Vulnerability Description
The vulnerability stems from an inconsistency in the kernel filter that allows packets to be accepted instead of rejected when utilizing an IPv6 firewall filter with the "tcp-reset" option.
Affected Systems and Versions
Juniper Networks Junos OS on MX Series and EX9200 Series are impacted, specifically versions earlier than the specified ones above.
Exploitation Mechanism
An attacker can exploit this vulnerability by utilizing an IPv6 firewall filter with the "tcp-reset" option, leading to packets being accepted instead of rejected due to the flaw in the payload-protocol match.
Mitigation and Prevention
To address CVE-2024-21607, immediate actions involve replacing the payload-protocol match with a next-header match in affected configurations. Long-term practices include regular security updates and monitoring for potential vulnerabilities.
Immediate Steps to Take
Implement the workaround by replacing the payload-protocol match with a next-header match in the IPv6 firewall filter configuration.
Long-Term Security Practices
Maintain updated software releases to resolve the specific issue and regularly review and update firewall configurations to enhance network security.
Patching and Updates
Juniper Networks has released updated software versions such as 20.4R3-S7, 21.1R3-S5, and subsequent releases to address this vulnerability and prevent exploitation.
Remember to stay informed about security advisories and apply patches promptly to mitigate the risk of exploitation.