CVE-2024-21601
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in the Flow-processing Daemon (flowd) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (Dos).
On SRX Series devices when two different threads try to simultaneously process a queue which is used for TCP events flowd will crash. One of these threads can not be triggered externally, so the exploitation of this race condition is outside the attackers direct control.
Continued exploitation of this issue will lead to a sustained DoS.
This issue affects Juniper Networks Junos OS:
- 21.2 versions earlier than 21.2R3-S5;
- 21.3 versions earlier than 21.3R3-S5;
- 21.4 versions earlier than 21.4R3-S4;
- 22.1 versions earlier than 22.1R3-S3;
- 22.2 versions earlier than 22.2R3-S1;
- 22.3 versions earlier than 22.3R2-S2, 22.3R3;
- 22.4 versions earlier than 22.4R2-S1, 22.4R3.
This issue does not affect Juniper Networks Junos OS versions earlier than 21.2R1.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Juniper Networks | Junos OS | 21.2 < 21.2R3-S5 | affected |
| Juniper Networks | Junos OS | 21.3 < 21.3R3-S5 | affected |
| Juniper Networks | Junos OS | 21.4 < 21.4R3-S4 | affected |
| Juniper Networks | Junos OS | 22.1 < 22.1R3-S3 | affected |
| Juniper Networks | Junos OS | 22.2 < 22.2R3-S1 | affected |
| Juniper Networks | Junos OS | 22.3 < 22.3R2-S2, 22.3R3 | affected |
| Juniper Networks | Junos OS | 22.4 < 22.4R2-S1, 22.4R3 | affected |
Weaknesses
- CWE-362: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- Denial of Service
Workarounds
There are no known workarounds for this issue.
ADP Enrichment
CVE Program Container
Additional References
- https://supportportal.juniper.net/JSA75742
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://supportportal.juniper.net/JSA75742
- https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.