CVE-2024-21597

Summary

An Exposure of Resource to Wrong Sphere vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on MX Series allows an unauthenticated, network-based attacker to bypass the intended access restrictions.

In an Abstracted Fabric (AF) scenario if routing-instances (RI) are configured, specific valid traffic destined to the device can bypass the configured lo0 firewall filters as it's received in the wrong RI context.

This issue affects Juniper Networks Junos OS on MX Series:

  • All versions earlier than 20.4R3-S9;
  • 21.2 versions earlier than 21.2R3-S3;
  • 21.4 versions earlier than 21.4R3-S5;
  • 22.1 versions earlier than 22.1R3;
  • 22.2 versions earlier than 22.2R3;
  • 22.3 versions earlier than 22.3R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 20.4R3-S9affected
Juniper NetworksJunos OS21.2 < 21.2R3-S3affected
Juniper NetworksJunos OS21.4 < 21.4R3-S5affected
Juniper NetworksJunos OS22.1 < 22.1R3affected
Juniper NetworksJunos OS22.2 < 22.2R3affected
Juniper NetworksJunos OS22.3 < 22.3R2affected

Weaknesses

  • CWE-668: CWE-668 Exposure of Resource to Wrong Sphere

Workarounds

There are no known workarounds for this issue.

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References