July 1, 2024 at 02:34PM
Juniper Networks released an emergency patch for a critical authentication bypass vulnerability, tracked as CVE-2024-2973, affecting Session Smart Router, Conductor, and WAN Assurance Router. The flaw, found internally, has the highest CVSS score of 10. Immediate updates for affected devices are recommended to prevent exploitation. Automatic updates will not disrupt data plane router functions.
Based on the meeting notes, the key takeaways are:
– Juniper Networks has released an emergency patch for a critical authentication bypass vulnerability affecting certain devices, which has been assigned the highest possible CVSS score of 10.
– The vulnerability, tracked under CVE-2024-2973, affects the Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Router, and could allow a threat actor to take full control of an unpatched device.
– Only routers or conductors running in high-availability redundant configurations are affected by this vulnerability.
– Juniper Networks recommended immediate updates to Session Smart Routers SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases.
– In a Conductor-managed deployment, it is sufficient to upgrade the Conductor nodes only and the fix will be applied automatically to all connected routers.
– Managed routers will be automatically updated, which won’t impact any data plane router functions, and the application of the fix is non-disruptive to production traffic.
– The company added that the flaw was found during internal security testing and there is no evidence the bug has yet been exploited in the wild.
These takeaways capture the critical information from the meeting notes related to the emergency patch for the vulnerability in Juniper Networks’ devices.