CVE-2024-21585 Overview
CVE-2024-21585 is an Improper Handling of Exceptional Conditions vulnerability (CWE-755) affecting BGP session processing in Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows an unauthenticated network-based attacker to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. The exploitation requires specific timing outside the attacker's control, but continued BGP session flapping can create a sustained DoS condition affecting network routing stability.
Critical Impact
This vulnerability can cause sustained Denial of Service on routers configured with Non-Stop Routing (NSR) enabled, potentially disrupting critical network infrastructure and BGP peering relationships.
Affected Products
- Juniper Networks Junos OS - All versions earlier than 20.4R3-S9; 21.2 versions earlier than 21.2R3-S7; 21.3 versions earlier than 21.3R3-S5; 21.4 versions earlier than 21.4R3-S5; 22.1 versions earlier than 22.1R3-S4; 22.2 versions earlier than 22.2R3-S3; 22.3 versions earlier than 22.3R3-S1; 22.4 versions earlier than 22.4R2-S2, 22.4R3; 23.2 versions earlier than 23.2R1-S1, 23.2R2
- Juniper Networks Junos OS Evolved - All versions earlier than 21.3R3-S5-EVO; 21.4 versions earlier than 21.4R3-S5-EVO; 22.1 versions earlier than 22.1R3-S4-EVO; 22.2 versions earlier than 22.2R3-S3-EVO; 22.3 versions earlier than 22.3R3-S1-EVO; 22.4 versions earlier than 22.4R2-S2-EVO, 22.4R3-EVO; 23.2 versions earlier than 23.2R1-S1-EVO, 23.2R2-EVO
- Note: SRX Series is NOT affected as NSR is not supported on these devices
Discovery Timeline
- January 12, 2024 - CVE-2024-21585 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-21585
Vulnerability Analysis
This vulnerability exists in the BGP session processing logic when Non-Stop Routing (NSR) is enabled in conjunction with Graceful Restart (GR) helper mode, which is enabled by default. The flaw involves improper handling of exceptional conditions during BGP session state transitions, specifically when the device is processing concurrent replication requests.
When a BGP session flaps on an NSR-enabled router, the device enters GR-helper or LLGR-helper mode because the peer has negotiated GR/LLGR-restarter capability. In this state, the backup BGP process requests replication of the GR/LLGR-helper session, and the master BGP schedules and initiates replication of GR/LLGR stale routes to the backup BGP process.
The vulnerability manifests when the BGP session with the peer comes up again while the router is still in GR/LLGR-helper mode—unsolicited replication is initiated for the peer without properly cleaning up the ongoing GR/LLGR-helper mode replication. This creates two parallel instances of replication for the same peer. If the BGP session flaps again during this condition, an assertion failure occurs, causing the rpd process to crash.
Root Cause
The root cause is an improper handling of exceptional conditions (CWE-755) in the BGP session replication logic. The code fails to properly manage the cleanup of existing replication sessions before initiating new ones during rapid BGP session state transitions. The assertion that triggers the crash occurs because the system encounters an unexpected state where duplicate replication instances exist for the same BGP peer—a condition the code was not designed to handle gracefully.
Attack Vector
The attack vector is network-based, requiring no authentication or user interaction. An attacker with the ability to influence BGP session stability (either as a BGP peer or through network manipulation) could potentially exploit this vulnerability by causing repeated BGP session flaps. However, successful exploitation depends on specific timing conditions outside the attacker's direct control, as the race condition between session establishment and replication cleanup must occur in a specific sequence. The attack targets the availability of the routing infrastructure without impacting confidentiality or integrity.
The vulnerability affects routers in environments where:
- Non-Stop Routing (NSR) is explicitly enabled
- Graceful Restart (GR) helper mode is enabled (default configuration)
- BGP peers have negotiated GR/LLGR-restarter capability
Detection Methods for CVE-2024-21585
Indicators of Compromise
- Unexpected crashes or restarts of the routing protocol daemon (rpd) process on Junos devices
- Repeated BGP session flapping events in system logs, particularly with NSR-enabled configurations
- Assertion failure messages in logs related to BGP replication or GR-helper mode processing
- Service disruptions in BGP peering relationships without clear external cause
Detection Strategies
- Monitor system logs for rpd crash events and correlate with BGP session state changes
- Implement alerting on multiple BGP session flaps occurring within short time windows
- Review device configurations to identify routers with NSR enabled that may be vulnerable
- Deploy SNMP or streaming telemetry monitoring for BGP peer state transitions and rpd process health
Monitoring Recommendations
- Enable detailed logging for BGP session events and routing protocol daemon status
- Configure syslog forwarding to a centralized SIEM for correlation analysis of BGP-related events
- Establish baseline metrics for normal BGP session behavior to detect anomalous flapping patterns
- Implement network monitoring for BGP session stability across all NSR-enabled routing infrastructure
How to Mitigate CVE-2024-21585
Immediate Actions Required
- Review router configurations to identify devices with Non-Stop Routing (NSR) enabled
- Prioritize patching for NSR-enabled devices that are critical to network infrastructure
- Consider temporarily disabling NSR on critical routers until patches can be applied if the risk of exploitation outweighs the benefit of NSR
- Monitor BGP session stability closely on vulnerable devices
Patch Information
Juniper Networks has released security patches addressing this vulnerability. Administrators should upgrade to the following fixed versions:
Junos OS:20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, or later releases.
Junos OS Evolved:21.3R3-S5-EVO, 21.4R3-S5-EVO, 22.1R3-S4-EVO, 22.2R3-S3-EVO, 22.3R3-S1-EVO, 22.4R2-S2-EVO, 22.4R3-EVO, 23.2R1-S1-EVO, 23.2R2-EVO, or later releases.
For complete patch details, refer to the Juniper Support Advisory JSA75723.
Workarounds
- Disable Non-Stop Routing (NSR) on affected devices if operational requirements permit, as this is a prerequisite for exploitation
- Consider disabling Graceful Restart helper mode on peers where it is not operationally required, though this may impact failover behavior
- Implement BGP session authentication (MD5 or TCP-AO) to reduce the attack surface from unauthorized peers
- Review the Juniper GR and LLGR capability documentation for additional configuration guidance
# Check if NSR is enabled on your Junos device
show configuration routing-options nonstop-routing
# Disable NSR as a temporary workaround (if operationally acceptable)
delete routing-options nonstop-routing
commit
# Verify BGP GR helper mode configuration
show bgp neighbor | match "Graceful Restart"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
