CVE-2024-30397

Summary

An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).

The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.

This CPU utilization of pkid can be checked using this command:   root@srx> show system processes extensive | match pkid   xxxxx  root  103  0  846M  136M  CPU1  1 569:00 100.00% pkid

This issue affects: Juniper Networks Junos OS

  • All versions prior to 20.4R3-S10;
  • 21.2 versions prior to 21.2R3-S7;
  • 21.4 versions prior to 21.4R3-S5;
  • 22.1 versions prior to 22.1R3-S4;
  • 22.2 versions prior to 22.2R3-S3;
  • 22.3 versions prior to 22.3R3-S1;
  • 22.4 versions prior to 22.4R3;
  • 23.2 versions prior to 23.2R1-S2, 23.2R2.

Affected Software

VendorProductVersion RangeStatus
Juniper NetworksJunos OS0 < 20.4R3-S10affected
Juniper NetworksJunos OS21.2 < 21.2R3-S7affected
Juniper NetworksJunos OS21.4 < 21.4R3-S5affected
Juniper NetworksJunos OS22.1 < 22.1R3-S4affected
Juniper NetworksJunos OS22.2 < 22.2R3-S3affected
Juniper NetworksJunos OS22.3 < 22.3R3-S1affected
Juniper NetworksJunos OS22.4 < 22.4R3affected
Juniper NetworksJunos OS23.2 < 23.2R1-S2, 23.2R2affected

Weaknesses

  • CWE-754: CWE-754 Improper Check for Unusual or Exceptional Conditions
  • Denial of Service (DoS)

Workarounds

There are no known workarounds for this issue.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References