PT-2024-3483 · Juniper Networks · Junos

Published

2024-04-10

·

Updated

2024-05-16

·

CVE-2024-30397

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Juniper Networks Junos OS versions prior to 20.4R3-S10 Juniper Networks Junos OS 21.2 versions prior to 21.2R3-S7 Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S5 Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S4 Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S3 Juniper Networks Junos OS 22.3 versions prior to 22.3R3-S1 Juniper Networks Junos OS 22.4 versions prior to 22.4R3 Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S2, 23.2R2
Description An Improper Check for Unusual or Exceptional Conditions issue in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). The pkid is responsible for certificate verification, and upon a failed verification, it uses all CPU resources and becomes unresponsive to future verification attempts, causing subsequent VPN negotiations depending on certificate verification to fail. The CPU utilization of pkid can be checked using the command: root@srx> show system processes extensive | match pkid.
Recommendations For Juniper Networks Junos OS versions prior to 20.4R3-S10, update to version 20.4R3-S10 or later. For Juniper Networks Junos OS 21.2 versions prior to 21.2R3-S7, update to version 21.2R3-S7 or later. For Juniper Networks Junos OS 21.4 versions prior to 21.4R3-S5, update to version 21.4R3-S5 or later. For Juniper Networks Junos OS 22.1 versions prior to 22.1R3-S4, update to version 22.1R3-S4 or later. For Juniper Networks Junos OS 22.2 versions prior to 22.2R3-S3, update to version 22.2R3-S3 or later. For Juniper Networks Junos OS 22.3 versions prior to 22.3R3-S1, update to version 22.3R3-S1 or later. For Juniper Networks Junos OS 22.4 versions prior to 22.4R3, update to version 22.4R3 or later. For Juniper Networks Junos OS 23.2 versions prior to 23.2R1-S2, 23.2R2, update to version 23.2R1-S2, 23.2R2 or later. As a temporary workaround, consider restricting access to the pkid daemon to minimize the risk of exploitation.

Fix

DoS

Improper Check for Exceptional Conditions

Weakness Enumeration

CWE-754

Related Identifiers

BDU:2024-03784
CVE-2024-30397

Affected Products

Junos