Warning: critical vulnerability in Juniper Networks Session Smart Router, Session Smart Conductor and WAN Assurance Routers can be exploited to execute code. patch immediately!

Reference:
Advisory #2024-100

Version:
1.0

Affected software:
Juniper Networks products: Session Smart Router, Session Smart Conductor, WAN Assurance Routers

Type:
Remote code execution

CVE/CVSS:
CVE-2024-2973: 10.0 (CVSS:3.1/AV:N/AC:N/PR:N/UI:N/C:H/I:H/A:H)

Sources

Junyper Networks advisory - https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US

Risks

On 27 June 2024, Juniper Networks published a security advisory about a critical vulnerability affecting several of their products, namely Session Smart Router, Session Smart Conductor and WAN Assurance Router. Successful exploitation of this vulnerability could lead to remote code execution.

Please note that only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability.

The affected products are software used on gateway devices. Vulnerabilities in Juniper routers – among other device types – are regularly targeted by threat actors, including earlier this year.[1] There is presently no information indicating the vulnerability is being actively exploited (cut-off date: 28 June 2024).

Exploitation of this vulnerability can have a high impact on confidentiality, integrity and availability.

Description

CVE-2024-2973 is an authentication bypass using an alternate path or channel vulnerability. This vulnerability exists in Juniper Networks Session Smart Router or Conductor running a redundant peer. Please note that only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability.

If successfully exploited, a network-based attacker could bypass authentication and take full control of the device.
 

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices, after thorough testing.

Juniper Networks reported this vulnerability is fixed with the following software updates: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases.

Please note that upgrade requirements may differ based on the software used:

• In a Conductor-managed deployment, it is sufficient to upgrade the Conductor nodes only and the fix will be applied automatically to all connected routers. As practical, the routers should still be upgraded to a fixed version; however they will not be vulnerable once they connect to an upgraded Conductor.
• This vulnerability has been patched automatically on affected devices for WAN Assurance routers connected to the Mist Cloud. For systems that are provisioned in a High-Availability cluster, these should be upgraded to a patched version as soon as practical (SSR-6.1.9 or SSR-6.2.5).
• The fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic. There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs however this will resolve quickly.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.