CVE-2024-39559

Name of the Vulnerable Software and Affected Versions: Junos OS Evolved versions prior to 21.2R3-S8-EVO Junos OS Evolved versions from 21.4-EVO prior to 21.4R3-S6-EVO Junos OS Evolved versions from 22.1-EVO prior to 22.1R3-S4-EVO Junos OS Evolved versions from 22.2-EVO prior to 22.2R3-S4-EVO Junos OS Evolved versions from 22.3-EVO prior to 22.3R3-S3-EVO Junos OS Evolved versions from 22.4-EVO prior to 22.4R2-S2-EVO, 22.4R3-EVO

Description: An Improper Check for Unusual or Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS Evolved may allow a network-based unauthenticated attacker to crash the device by sending a specific TCP packet over an established TCP session with MD5 authentication enabled, resulting in a Denial of Service (DoS). This issue only affects dual RE systems with Nonstop Active Routing (NSR) enabled and can be exploited over TCP sessions with MD5 authentication enabled, such as BGP with MD5 authentication. Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition.

Recommendations: For Junos OS Evolved versions prior to 21.2R3-S8-EVO, update to version 21.2R3-S8-EVO or later. For Junos OS Evolved versions from 21.4-EVO prior to 21.4R3-S6-EVO, update to version 21.4R3-S6-EVO or later. For Junos OS Evolved versions from 22.1-EVO prior to 22.1R3-S4-EVO, update to version 22.1R3-S4-EVO or later. For Junos OS Evolved versions from 22.2-EVO prior to 22.2R3-S4-EVO, update to version 22.2R3-S4-EVO or later. For Junos OS Evolved versions from 22.3-EVO prior to 22.3R3-S3-EVO, update to version 22.3R3-S3-EVO or later. For Junos OS Evolved versions from 22.4-EVO prior to 22.4R2-S2-EVO, 22.4R3-EVO, update to version 22.4R2-S2-EVO or 22.4R3-EVO or later. As a temporary workaround, consider disabling MD5 authentication for TCP sessions until a patch is available. Restrict access to the device to minimize the risk of exploitation. Avoid using BGP with MD5 authentication until the issue is resolved.