Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-21597

CVE-2024-21597: Juniper Junos Auth Bypass Vulnerability

CVE-2024-21597 is an authentication bypass vulnerability in Juniper Junos OS on MX Series that allows attackers to bypass firewall filters in Abstracted Fabric scenarios. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-21597 Overview

CVE-2024-21597 is an Exposure of Resource to Wrong Sphere vulnerability [CWE-668] in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS running on MX Series routers. An unauthenticated, network-based attacker can bypass intended access restrictions configured via loopback (lo0) firewall filters. The flaw arises in Abstracted Fabric (AF) deployments when routing-instances (RI) are configured. Specific valid traffic destined to the device is received in the wrong RI context, causing the configured lo0 filters to be skipped. Juniper published advisory JSA75738 covering affected releases and fixes.

Critical Impact

Unauthenticated remote attackers can reach control-plane services on MX Series routers that operators believed were protected by lo0 firewall filters, exposing routing and management protocols to integrity attacks.

Affected Products

  • Juniper Networks Junos OS on MX Series, all versions earlier than 20.4R3-S9
  • Juniper Networks Junos OS on MX Series 21.2 versions earlier than 21.2R3-S3, 21.4 versions earlier than 21.4R3-S5, 22.1 versions earlier than 22.1R3
  • Juniper Networks Junos OS on MX Series 22.2 versions earlier than 22.2R3 and 22.3 versions earlier than 22.3R2

Discovery Timeline

  • 2024-01-12 - CVE-2024-21597 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-21597

Vulnerability Analysis

The vulnerability resides in how the Packet Forwarding Engine handles incoming packets in an Abstracted Fabric topology. AF presents multiple physical line cards as a single logical fabric to the rest of the system. When operators configure routing-instances on an MX Series device using AF, certain packets destined to the device itself are evaluated against the firewall filters of the wrong routing-instance. Because lo0 filters are typically the primary mechanism for protecting the Routing Engine and control-plane protocols, this misclassification permits traffic that should have been dropped to reach services such as BGP, SSH, SNMP, or NETCONF listeners. The attacker requires no authentication and no user interaction, and the issue is reachable over the network.

Root Cause

The root cause is incorrect routing-instance context attribution within the PFE for traffic terminating on the device. The packet is associated with an RI other than the one whose lo0 filter would normally apply, so the filter is never evaluated against that flow. This is a classic CWE-668 condition where a protected resource (the control plane) is exposed to a sphere (a different RI) that lacks the intended access controls.

Attack Vector

An attacker sends crafted but otherwise valid IPv4 or IPv6 traffic destined to an MX Series device participating in an AF scenario with configured routing-instances. The packet enters via an interface bound to an RI that does not enforce the operator's lo0 firewall filter. Because the network is the only prerequisite and complexity is low, an attacker on any path with reachability to the device address can leverage this issue to probe or interact with control-plane services intended to be filtered.

No public proof-of-concept is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.375%, indicating low predicted exploitation activity in the near term. Technical details and fixed releases are documented in the Juniper Security Advisory JSA75738.

Detection Methods for CVE-2024-21597

Indicators of Compromise

  • Unexpected control-plane connections to the MX Series Routing Engine from source addresses that should be blocked by lo0 firewall filters.
  • Authentication attempts or session establishment on management services (SSH, NETCONF, SNMP) from networks outside the approved management range.
  • Routing protocol adjacency or session attempts from peers not configured in the intended RI.

Detection Strategies

  • Audit running configuration on MX Series devices to enumerate routing-instances and confirm whether AF is in use alongside lo0 filters.
  • Compare expected versus observed control-plane traffic by exporting flow telemetry (Jflow/IPFIX) and correlating against firewall filter counters.
  • Monitor show firewall filter counters for the configured lo0 filter and look for traffic that bypassed counters but still reached the Routing Engine.

Monitoring Recommendations

  • Forward Junos syslog and RE authentication events to a centralized SIEM or data lake for correlation across devices.
  • Alert on new or anomalous source addresses establishing sessions to control-plane ports (22, 830, 161, 179).
  • Track Junos software versions across the MX fleet and flag any device still running a release listed in JSA75738.

How to Mitigate CVE-2024-21597

Immediate Actions Required

  • Inventory all MX Series devices and identify those running Junos OS versions earlier than the fixed releases listed in JSA75738.
  • Schedule upgrades to a fixed release: 20.4R3-S9, 21.2R3-S3, 21.4R3-S5, 22.1R3, 22.2R3, 22.3R2, or later.
  • Restrict network reachability to the MX Series control plane at upstream devices until patches are deployed.

Patch Information

Juniper Networks resolved the issue in Junos OS releases 20.4R3-S9, 21.2R3-S3, 21.4R3-S5, 22.1R3, 22.2R3, 22.3R2, and all subsequent releases. Refer to the Juniper Security Advisory JSA75738 for the authoritative list of fixed versions and upgrade guidance.

Workarounds

  • Apply additional access control lists on upstream routers to filter traffic destined to MX Series loopback addresses.
  • Where feasible, reconsider the Abstracted Fabric and routing-instance configuration to reduce exposure of lo0 services through unintended RIs.
  • Tighten management-plane reachability using out-of-band management networks and jump hosts instead of relying solely on in-band lo0 filters.
bash
# Verify Junos version on MX Series and inspect lo0 filter usage
show version | match Junos
show configuration interfaces lo0 unit 0 family inet filter
show firewall filter <lo0-filter-name> counter
show route-instance summary

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.