CVE-2024-21616: Juniper Junos SIP ALG DoS Vulnerability

CVE-2024-21616 Overview

CVE-2024-21616 is a denial-of-service vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS. The flaw stems from improper validation of syntactic correctness of input [CWE-1286] when the Session Initiation Protocol Application Layer Gateway (SIP ALG) processes specific SIP packets on MX Series and SRX Series platforms. An unauthenticated, network-based attacker can send a crafted SIP packet that causes Network Address Translation (NAT) IP allocation to fail for legitimate traffic. Sustained delivery of the offending packet produces a continuous DoS condition affecting genuine subscriber traffic traversing the device.

Critical Impact

Remote, unauthenticated attackers can exhaust NAT IP allocation on Juniper MX and SRX devices running SIP ALG, blocking legitimate traffic and producing a sustained denial-of-service condition.

Affected Products

• Juniper Networks Junos OS on MX Series — all versions earlier than 21.2R3-S6, and 21.3, 21.4, 22.1, 22.2, 22.3, 22.4, and 23.2 branches prior to the fixed releases
• Juniper Networks Junos OS on SRX Series — same affected version ranges as MX Series
• Deployments with SIP ALG enabled and NAT configured

Discovery Timeline

• 2024-01-12 - CVE-2024-21616 published to the National Vulnerability Database
• 2024-11-21 - Last updated in the NVD database

Technical Details for CVE-2024-21616

Vulnerability Analysis

The vulnerability resides in the Packet Forwarding Engine path that processes SIP traffic through the Application Layer Gateway. SIP ALG inspects SIP signaling to dynamically open pinholes and rewrite embedded addresses for NAT traversal. When a SIP packet with a specific malformed structure reaches the PFE, the syntactic validation logic fails to handle it correctly. The result is a leak or mis-accounting of NAT source-pool resources.

Operators can observe the condition using show security nat resource-usage source-pool <source_pool_name>. The Single Ports Used counter climbs while Avail declines, eventually reaching exhaustion (for example 96% utilization on a single address) while legitimate sessions are denied translation. Continuous receipt of the triggering packet sustains the resource starvation indefinitely.

Root Cause

The flaw is classified under [CWE-1286] — Improper Validation of Syntactic Correctness of Input. The SIP ALG code path does not reject or safely discard a SIP packet whose structure violates expected grammar. Instead, packet processing proceeds along a path that consumes or fails to release NAT translation resources from the configured source pool, leaving NAT IP and port allocations effectively unreachable for genuine sessions.

Attack Vector

Exploitation requires only network reachability to the affected device on a path where SIP ALG inspection applies. No authentication, no user interaction, and no privileges are needed. An attacker delivers the crafted SIP packet to any interface where SIP ALG is engaged. Because the trigger is a single specific SIP message, the attacker does not need to flood the device — repeated delivery of low-volume traffic is sufficient to maintain the DoS state. The impact is limited to availability; confidentiality and integrity of data are not affected.

Detection Methods for CVE-2024-21616

Indicators of Compromise

• Rapid growth of Used Single Ports in show security nat resource-usage source-pool output without corresponding subscriber session growth
• NAT source-pool usage approaching or sustained near 100% while subscriber count remains normal
• Legitimate users reporting failed outbound connections through the NAT-enabled MX or SRX device
• Unusual or malformed inbound SIP signaling traffic on UDP/TCP 5060 directed at the device

Detection Strategies

• Baseline NAT source-pool utilization during normal traffic windows and alert on sudden saturation events
• Inspect packet captures of SIP traffic for malformed headers, oversized fields, or non-RFC-compliant message structure
• Correlate PFE syslog messages relating to ALG processing with spikes in NAT allocation failures
• Monitor for repeated SIP packets from the same source where session establishment never completes

Monitoring Recommendations

• Schedule periodic polling of NAT resource-usage via SNMP or scripted CLI collection and forward results to a centralized log platform
• Enable flow-based logging on SIP traffic so anomalous SIP signaling patterns can be retained for analysis
• Build dashboards tracking NAT pool exhaustion alongside SIP session counts to spot divergence quickly
• Alert on the appearance of SIP messages from non-VoIP peer ranges hitting WAN-facing interfaces

How to Mitigate CVE-2024-21616

Immediate Actions Required

• Apply the fixed Junos OS release for the deployed code train as listed in Juniper advisory JSA75757
• If patching cannot be performed immediately, disable SIP ALG where it is not operationally required
• Restrict SIP traffic to known peer ranges using firewall filters on edge interfaces
• Audit current NAT source-pool utilization and verify alerting is in place for saturation events

Patch Information

Juniper Networks resolved CVE-2024-21616 in Junos OS 21.2R3-S6, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, and all subsequent releases. Refer to the Juniper Security Advisory JSA75757 for the complete fixed-version list and upgrade procedures.

Workarounds

• Disable SIP ALG with set security alg sip disable on SRX devices where SIP inspection is not required
• Apply stateless firewall filters to drop SIP signaling from untrusted sources before it reaches the ALG
• Constrain SIP ALG to defined zones or interfaces rather than global application
• Implement rate limiting on UDP/TCP port 5060 traffic at the network edge

# Configuration example - disable SIP ALG on Junos SRX
set security alg sip disable
commit

# Verify NAT source-pool utilization
show security nat resource-usage source-pool <source_pool_name>