Juniper Networks has released out-of-band security updates to address a critical security flaw that could lead to an authentication bypass in some of its routers.
The vulnerability, tracked as CVE-2024-2973, carries a CVSS score of 10.0, indicating maximum severity.
“An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network based attacker to bypass authentication and take full control of the device,” the company said in an advisory issued last week.
According to Juniper Networks, the shortcoming affects only those routers or conductors that are running in high-availability redundant configurations. The list of impacted devices is listed below –
- Session Smart Router (all versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts)
- Session Smart Conductor (all versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts)
- WAN Assurance Router (6.0 versions before 6.1.9-lts and 6.2 versions before 6.2.5-sts)
The networking equipment maker, which was bought out by Hewlett Packard Enterprise (HPE) for approximately $14 billion earlier this year, said it found no evidence of active exploitation of the flaw in the wild.
It also said that it discovered the vulnerability during internal product testing and that there are no workarounds that resolve the issue.
“This vulnerability has been patched automatically on affected devices for MIST managed WAN Assurance routers connected to the Mist Cloud,” it further noted. “It is important to note that the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router.”
In January 2024, the company also rolled out fixes for a critical vulnerability in the same products (CVE-2024-21591, CVSS score: 9.8) that could enable an attacker to cause a denial-of-service (DoS) or remote code execution and obtain root privileges on the devices.
With multiple security flaws affecting the company’s SRX firewalls and EX switches weaponized by threat actors last year, it’s essential that users apply the patches to protect against potential threats.