July 1, 2024 at 07:28AM
Juniper Networks issued an out-of-cycle security bulletin regarding a critical vulnerability, tracked as CVE-2024-2973, which can lead to an authentication bypass on Session Smart routers and conductor products. The company advised affected systems to upgrade to specific software versions and noted that the vulnerability has been automatically resolved on certain managed routers. No workarounds are available.
Based on the meeting notes, it appears that Juniper Networks has identified a critical vulnerability, tracked as CVE-2024-2973 with a CVSS score of 10, leading to an authentication bypass on Session Smart router and conductor products. This vulnerability allows a network-based attacker to bypass authentication and take full control of the affected devices.
The impacted versions include Session Smart router and connector versions before 5.6.15, 6.1.9-lts, and 6.2.5-sts, as well as WAN Assurance router versions before 6.1.9-lts and 6.2.5-sts. The company recommends upgrading all affected systems to versions SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases to address this vulnerability. In a Conductor-managed deployment, upgrading the Conductor nodes is sufficient, and the fix will be automatically applied to all connected routers.
For Mist-managed WAN Assurance routers connected to the Mist cloud, the vulnerability has been automatically resolved on affected devices. The application of the fix is non-disruptive to production traffic, with a possible downtime of less than 30 seconds to the web-based management and APIs. Juniper Networks has indicated that there are no workarounds available for the vulnerability and it is not aware of the flaw being exploited in attacks.
Additionally, there are related security advisories and patches published by Juniper Networks for switches, firewalls, and other products.
Let me know if you need any further assistance or clarification on the meeting notes.