CVE-2024-21609

Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 20.4R3-S9 Juniper Networks Junos OS 21.2 versions prior to 21.2R3-S7 Juniper Networks Junos OS 21.3 versions prior to 21.3R3-S5 Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S4 Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S3 Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S2 Juniper Networks Junos OS 22.3 versions prior to 22.3R3 Juniper Networks Junos OS 22.4 versions prior to 22.4R3 Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S2, 23.2R2

Description A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS). If specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a specific message sequence. This will eventually result in an iked process crash and restart.

Recommendations For Juniper Networks Junos OS versions prior to 20.4R3-S9, update to version 20.4R3-S9 or later. For Juniper Networks Junos OS 21.2 versions prior to 21.2R3-S7, update to version 21.2R3-S7 or later. For Juniper Networks Junos OS 21.3 versions prior to 21.3R3-S5, update to version 21.3R3-S5 or later. For Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S4, update to version 21.4R3-S4 or later. For Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S3, update to version 22.1R3-S3 or later. For Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S2, update to version 22.2R3-S2 or later. For Juniper Networks Junos OS 22.3 versions prior to 22.3R3, update to version 22.3R3 or later. For Juniper Networks Junos OS 22.4 versions prior to 22.4R3, update to version 22.4R3 or later. For Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S2, 23.2R2, update to version 23.2R1-S2, 23.2R2 or later. As a temporary workaround, consider monitoring the iked process memory consumption using the command "show system processes extensive | grep iked" to detect potential memory leaks.