July 1, 2024 at 07:38AM
A critical vulnerability (CVE-2024-2973) in Juniper Networks routers scored a perfect 10 on CVSS systems. Juniper advised applying emergency patches due to an authentication bypass bug that could allow network-based attackers to take control. The bug affects Smart Session Router, Session Smart Conductor, and WAN Assurance Routers, potentially causing significant disruptions. Juniper recommended immediate upgrading.
From the meeting notes provided, the main takeaways are as follows:
– A critical vulnerability affecting Juniper Networks routers, identified as CVE-2024-2973, has prompted the vendor to release emergency patches. The vulnerability allows an authentication bypass, enabling a network-based attacker to take full control of the device. This impacts Juniper’s Smart Session Router, Session Smart Conductor management platform, and WAN Assurance Routers running high-availability redundant configurations.
– The severity of the vulnerability is underscored by its perfect 10 rating on both the CVSS 3.1 and CVSS 4 systems. Although there is no evidence of exploitation in the wild, Juniper’s decision to release patches outside of the products’ usual cycle reflects its concern about the severity and potential exploitability.
– Specific vulnerable versions include those before 5.6.15 for Session Smart Routers, before 6.1.9-lts for versions from 6.0 to 6.1.9, and before 6.2.5-sts for versions from 6.2 to 6.2.5-sts. The same versions are also vulnerable for Session Smart Conductor.
– For WAN Assurance Routers managed by the Session Smart Conductor platform, Juniper recommends upgrading Conductor nodes to automatically apply the security fixes to connected routers. The vendor advises upgrading each vulnerable router individually but suggests a quicker alternative of upgrading the Conductor nodes before addressing the full job. The patch has been automatically applied to WAN Assurance Routers managed by Juniper Mist, with Juniper emphasizing minimal disruption to production traffic and web-based management during the fix application.
This summarizes the key points from the meeting notes regarding the critical vulnerability affecting Juniper Networks routers and the necessary actions for mitigation and patching.