CVE-2024-39526: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets
First published: Fri Oct 11 2024(Updated: )
An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS on MX Series with MPC10/MPC11/LC9600 line cards, EX9200 with EX9200-15C lines cards, MX304 devices, and Juniper Networks Junos OS Evolved on PTX Series, allows an attacker sending malformed DHCP packets to cause ingress packet processing to stop, leading to a Denial of Service (DoS). Continued receipt and processing of these packets will create a sustained Denial of Service (DoS) condition. This issue only occurs if DHCP snooping is enabled. See configuration below. This issue can be detected using following commands. Their output will display the interface status going down: user@device>show interfaces <if--x/x/x> user@device>show log messages | match <if--x/x/x> user@device>show log messages ==> will display the "[Error] Wedge-Detect : Host Loopback Wedge Detected: PFE: no," logs. This issue affects: Junos OS on MX Series with MPC10/MPC11/LC9600 line cards, EX9200 with EX9200-15C line cards, and MX304: * All versions before 21.2R3-S7, * from 21.4 before 21.4R3-S6, * from 22.2 before 22.2R3-S3, * all versions of 22.3, * from 22.4 before 22.4R3, * from 23.2 before 23.2R2; Junos OS Evolved on PTX Series: * from 19.3R1-EVO before 21.2R3-S8-EVO, * from 21.4-EVO before 21.4R3-S7-EVO, * from 22.1-EVO before 22.1R3-S6-EVO, * from 22.2-EVO before 22.2R3-S5-EVO, * from 22.3-EVO before 22.3R3-S3-EVO, * from 22.4-EVO before 22.4R3-S1-EVO, * from 23.2-EVO before 23.2R2-S2-EVO, * from 23.4-EVO before 23.4R2-EVO. Junos OS Evolved releases prior to 19.3R1-EVO are unaffected by this vulnerability
Credit: sirt@juniper.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Juniper Junos | <21.2R3-S7>=undefined>=undefined=22.3>=undefined>=undefined | |
| Juniper Networks Junos OS | >=undefined>=undefined>=undefined>=undefined>=undefined>=undefined>=undefined>=undefined |
Remedy
The following software releases have been updated to resolve this specific issue: Junos OS: 21.2R3-S7, 21.4R3-S6, 22.2R3-S3, 22.4R3, 23.2R2, 23.4R2, 24.2R1, and all subsequent releases. Junos OS Evolved: 21.2R3-S8-EVO, 21.4R3-S7-EVO, 22.1R3-S6-EVO, 22.2R3-S5-EVO*, 22.3R3-S3-EVO, 22.4R3-S1-EVO, 23.2R2-S2-EVO, 23.4R2-EVO, 24.2R1-EVO, and all subsequent releases. *Future release
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-39526?
CVE-2024-39526 is considered a high-severity vulnerability due to its potential impact on packet processing in Junos OS.
How do I fix CVE-2024-39526?
To remediate CVE-2024-39526, upgrade to the latest version of Junos OS as advised in the security advisory.
What products are affected by CVE-2024-39526?
CVE-2024-39526 affects Juniper Networks devices like MX Series with specific line cards and EX9200 series with certain configurations.
Can CVE-2024-39526 be exploited remotely?
Yes, CVE-2024-39526 can be exploited remotely, allowing an attacker to affect packet processing without physical access to the device.
What is the impact of CVE-2024-39526?
The impact of CVE-2024-39526 includes potential denial of service conditions in affected Junos OS devices.
- agent/remedy
- agent/weakness
- agent/title
- agent/type
- agent/description
- agent/first-publish-date
- agent/references
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/juniper networks
- canonical/juniper junos
- canonical/juniper networks junos os