CVE-2024-21616

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 21.2R3-S6 Juniper Networks Junos OS 21.3 versions prior to 21.3R3-S5 Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S5 Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S4 Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S3 Juniper Networks Junos OS 22.3 versions prior to 22.3R3-S1 Juniper Networks Junos OS 22.4 versions prior to 22.4R2-S2, 22.4R3 Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S1, 23.2R2

Description An Improper Validation of Syntactic Correctness of Input issue in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS allows an unauthenticated, network-based attacker to cause Denial of Service (DoS). When SIP ALG is enabled and a specific SIP packet is received and processed, NAT IP allocation fails for genuine traffic, causing Denial of Service (DoS). Continuous receipt of this specific SIP ALG packet will cause a sustained DoS condition.

Recommendations For Juniper Networks Junos OS versions prior to 21.2R3-S6, update to version 21.2R3-S6 or later. For Juniper Networks Junos OS 21.3 versions prior to 21.3R3-S5, update to version 21.3R3-S5 or later. For Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S5, update to version 21.4R3-S5 or later. For Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S4, update to version 22.1R3-S4 or later. For Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S3, update to version 22.2R3-S3 or later. For Juniper Networks Junos OS 22.3 versions prior to 22.3R3-S1, update to version 22.3R3-S1 or later. For Juniper Networks Junos OS 22.4 versions prior to 22.4R2-S2, 22.4R3, update to version 22.4R2-S2 or 22.4R3 or later. For Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S1, 23.2R2, update to version 23.2R1-S1 or 23.2R2 or later. As a temporary workaround, consider disabling SIP ALG to prevent exploitation until a patch is available. Monitor NAT IP usage by running the command show security nat resource-usage source-pool <source pool name>.