CVE-2024-21610

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS on MX Series versions prior to 20.4R3-S9 Juniper Networks Junos OS on MX Series version 21.2 versions prior to 21.2R3-S7 Juniper Networks Junos OS on MX Series version 21.3 versions prior to 21.3R3-S5 Juniper Networks Junos OS on MX Series version 21.4 versions prior to 21.4R3-S5 Juniper Networks Junos OS on MX Series version 22.1 versions prior to 22.1R3-S4 Juniper Networks Junos OS on MX Series version 22.2 versions prior to 22.2R3-S3 Juniper Networks Junos OS on MX Series version 22.3 versions prior to 22.3R3-S2 Juniper Networks Junos OS on MX Series version 22.4 versions prior to 22.4R3 Juniper Networks Junos OS on MX Series version 23.2 versions prior to 23.2R1-S2, 23.2R2

Description The issue is related to an Improper Handling of Exceptional Conditions vulnerability in the Class of Service daemon (cosd) of Juniper Networks Junos OS on MX Series. This vulnerability allows an authenticated, network-based attacker with low privileges to cause a limited Denial of Service (DoS). In a scaled subscriber scenario, when specific low privileged commands are handled by cosd on behalf of mgd, the respective child management daemon (mgd) processes will get stuck. This can lead to stuck SSH sessions, and when the connection-limit for SSH is reached, new sessions cannot be established anymore. A similar behavior will be seen for telnet. The show system processes extensive | match mgd | match sbwait command can be used to monitor stuck mgd processes.

Recommendations For versions prior to 20.4R3-S9, update to version 20.4R3-S9 or later. For version 21.2, update to version 21.2R3-S7 or later. For version 21.3, update to version 21.3R3-S5 or later. For version 21.4, update to version 21.4R3-S5 or later. For version 22.1, update to version 22.1R3-S4 or later. For version 22.2, update to version 22.2R3-S3 or later. For version 22.3, update to version 22.3R3-S2 or later. For version 22.4, update to version 22.4R3 or later. For version 23.2, update to version 23.2R1-S2, 23.2R2 or later. As a temporary workaround, consider monitoring stuck mgd processes using the show system processes extensive | match mgd | match sbwait command to minimize the risk of exploitation.