CVE-2024-21607

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on MX Series and EX9200 Series versions earlier than 20.4R3-S7 Juniper Networks Junos OS on MX Series and EX9200 Series version 21.1 versions earlier than 21.1R3-S5 Juniper Networks Junos OS on MX Series and EX9200 Series version 21.2 versions earlier than 21.2R3-S5 Juniper Networks Junos OS on MX Series and EX9200 Series version 21.3 versions earlier than 21.3R3-S4 Juniper Networks Junos OS on MX Series and EX9200 Series version 21.4 versions earlier than 21.4R3-S4 Juniper Networks Junos OS on MX Series and EX9200 Series version 22.1 versions earlier than 22.1R3-S2 Juniper Networks Junos OS on MX Series and EX9200 Series version 22.2 versions earlier than 22.2R3-S2 Juniper Networks Junos OS on MX Series and EX9200 Series version 22.3 versions earlier than 22.3R2-S2, 22.3R3 Juniper Networks Junos OS on MX Series and EX9200 Series version 22.4 versions earlier than 22.4R1-S2, 22.4R2-S2, 22.4R3

Description The issue is related to an unsupported feature in the UI of Juniper Networks Junos OS on MX Series and EX9200 Series, allowing an unauthenticated, network-based attacker to cause partial impact to the integrity of the device. This happens when the "tcp-reset" option is added to the "reject" action in an IPv6 filter which matches on "payload-protocol", causing packets to be permitted instead of rejected due to the payload-protocol match criteria not being supported in the kernel filter. The issue does not affect IPv4 firewall filters.

Recommendations As a temporary workaround, consider modifying the IPv6 filter to treat the payload-protocol match the same as a "next-header" match to avoid this filter bypass. For versions earlier than 20.4R3-S7, update to version 20.4R3-S7 or later. For version 21.1, update to version 21.1R3-S5 or later. For version 21.2, update to version 21.2R3-S5 or later. For version 21.3, update to version 21.3R3-S4 or later. For version 21.4, update to version 21.4R3-S4 or later. For version 22.1, update to version 22.1R3-S2 or later. For version 22.2, update to version 22.2R3-S2 or later. For version 22.3, update to version 22.3R2-S2, 22.3R3 or later. For version 22.4, update to version 22.4R1-S2, 22.4R2-S2, 22.4R3 or later.