Summary

Juniper Networks has issued an out-of-cycle security bulletin to address a critical vulnerability (CVE-2024-2973) that affects Session Smart Routers and Conductors running in high-availability redundant configurations. This vulnerability, with a CVSS score of 10, allows a network-based attacker to bypass authentication and take full control of the device. Users are strongly advised to upgrade to the latest software versions to mitigate this risk.

Affected Systems and/or Application

The following systems and versions are affected by this vulnerability:

Session Smart Router:

• Versions before 5.6.15
• Versions 6.0 before 6.1.9-lts
• Versions 6.2 before 6.2.5-sts

Session Smart Conductor:

• Versions before 5.6.15
• Versions 6.0 before 6.1.9-lts
• Versions 6.2 before 6.2.5-sts

WAN Assurance Router:

• Versions 6.0 before 6.1.9-lts
• Versions 6.2 before 6.2.5-sts

Only routers or conductors running in high-availability redundant configurations are affected according to JuniperNetworks.

Technical Details / Attack Overview

The vulnerability, identified as CVE-2024-2973, involves an authentication bypass using an alternate path or channel. Specifically, when Session Smart Routers or Conductors are configured in a high-availability redundant setup, a network-based attacker can exploit this flaw to bypass authentication mechanisms. This allows the attacker to gain full control over the affected device, posing a significant security risk.

Juniper Networks discovered this vulnerability through internal product security testing and research. As of now, there are no reports of this vulnerability being exploited in the wild.

Recommendations

1. Update Affected Systems:
   • For Session Smart Router: Upgrade to SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, or subsequent releases.
   • For Session Smart Conductor: Upgrade to the same versions as above.
   • For WAN Assurance Router: Ensure the system is updated to version 6.1.9-lts or 6.2.5-sts.
2. Conductor-Managed Deployment:
   • In environments managed by a Conductor, it is sufficient to upgrade the Conductor nodes only. The fix will be automatically applied to all connected routers. Although upgrading the routers is still recommended, they will not remain vulnerable once connected to an upgraded Conductor.
3. MIST Managed WAN Assurance Routers:
   • For routers connected to the Mist cloud, the patch has been applied automatically.

General Recommendations

1. Network Segmentation: Isolate vulnerable devices from critical network resources to limit potential exploitation impact.
2. Access Controls: Implement strict firewall rules and access controls to limit exposure to vulnerable systems.
3. Logging: Review any logging activities on the impacted devices between the time of the advisory and the update of the affected devices.

What is the CFC doing ?

Kudelski Security has not observed or received indicators of active exploitation of these flaws. The CFC will continue to monitor the situation and send an advisory update if needed. Clients with vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans.

References

• https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-Bulletin-Session-Smart-Router-SSR-On-redundant-router-deployments-API-authentication-can-be-bypassed-CVE-2024-2973?language=en_US
• https://thehackernews.com/2024/07/juniper-networks-releases-critical.html

‍