CVE-2024-30394 Overview
CVE-2024-30394 is a stack-based buffer overflow vulnerability in the Routing Protocol Daemon (rpd) component of Juniper Junos OS and Junos OS Evolved. An unauthenticated, network-based attacker can trigger an rpd crash by sending a specifically crafted EVPN type-5 route via BGP. Continuous receipt of this route produces a sustained Denial of Service (DoS) condition on affected routing platforms. The flaw is tracked under CWE-121 (Stack-based Buffer Overflow) and CWE-787 (Out-of-bounds Write). Exploitation requires EVPN to be configured on the device.
Critical Impact
A remote unauthenticated attacker can repeatedly crash rpd on Junos OS and Junos OS Evolved routers, disrupting BGP/EVPN routing and causing prolonged network outages.
Affected Products
- Juniper Junos OS: all versions before 21.2R3-S7; 21.4 before 21.4R3-S5; 22.1 before 22.1R3-S4; 22.2 before 22.2R3-S2; 22.3 before 22.3R3-S1; 22.4 before 22.4R3; 23.2 before 23.2R2
- Juniper Junos OS Evolved: all versions before 21.4R3-S5-EVO; 22.1-EVO before 22.1R3-S4-EVO; 22.2-EVO before 22.2R3-S2-EVO; 22.3-EVO before 22.3R3-S1-EVO; 22.4-EVO before 22.4R3-EVO; 23.2-EVO before 23.2R2-EVO
- Deployments where EVPN is configured and BGP peering accepts EVPN type-5 routes
Discovery Timeline
- 2024-04-12 - CVE-2024-30394 published to NVD
- 2025-02-06 - Last updated in NVD database
Technical Details for CVE-2024-30394
Vulnerability Analysis
The Routing Protocol Daemon (rpd) is the user-space process in Junos OS that implements BGP, OSPF, IS-IS, and EVPN signaling. CVE-2024-30394 is a stack-based buffer overflow in the EVPN route processing path. When rpd parses a specific EVPN type-5 (IP Prefix) route received over BGP, an out-of-bounds write occurs on the stack, terminating the process.
Upon crash, rpd restarts and re-establishes BGP sessions. If the upstream peer continues to advertise the malformed route, rpd enters a crash-restart loop. This breaks route propagation and convergence, isolating affected nodes from the routing fabric. EPSS data places exploitation probability at 0.247% (48th percentile) as of June 2025.
Root Cause
The defect lies in EVPN type-5 route parsing logic within rpd. Insufficient bounds validation on attributes carried in the BGP UPDATE message allows a crafted route to write past the boundary of a fixed-size stack buffer, corrupting the stack frame and causing the daemon to abort. The vulnerability is classified under both [CWE-121] and [CWE-787].
Attack Vector
The attack vector is network-based and requires no authentication or user interaction on the target. The attacker must, however, be able to inject a crafted EVPN type-5 route into a BGP session that the vulnerable device accepts. This typically means a compromised or malicious BGP peer, or a peer reachable through a misconfigured route reflector or EVPN signaling path. The vulnerability impacts availability only; confidentiality and integrity are not affected.
// No public exploit code is available. The trigger condition is the
// receipt of a specific malformed EVPN type-5 (IP Prefix) route via BGP
// when EVPN is configured on the device. See Juniper JSA79094 for details.
Detection Methods for CVE-2024-30394
Indicators of Compromise
- Unexpected rpd process restarts logged in /var/log/messages or via show system core-dumps
- BGP session flaps coinciding with EVPN type-5 route advertisements from a specific peer
- Repeated routing reconvergence events without a corresponding network change
- Core files attributed to rpd with timestamps aligned to EVPN UPDATE arrival
Detection Strategies
- Monitor rpd daemon health using the show system processes extensive command and SNMP jnxRpd OIDs for restart events
- Enable BGP UPDATE logging and inspect EVPN type-5 NLRI for malformed attributes from untrusted peers
- Correlate syslog messages such as RPD_TASK_REINIT and core dump generation events in a centralized log platform
Monitoring Recommendations
- Forward Junos syslog and BGP traceoptions to a centralized SIEM or data lake for cross-device correlation
- Alert on multiple rpd restarts within a short window across one or more routers
- Track EVPN type-5 route churn per BGP neighbor to identify abnormal advertisement patterns
How to Mitigate CVE-2024-30394
Immediate Actions Required
- Upgrade Junos OS and Junos OS Evolved to a fixed release as listed in Juniper advisory JSA79094
- Audit BGP peerings carrying EVPN address-family and restrict EVPN sessions to trusted, authenticated peers
- Apply BGP import policies to filter unexpected EVPN type-5 routes from external peers
- Enable core-dump retention so rpd crashes can be analyzed if they occur post-patch
Patch Information
Juniper released fixes in Junos OS 21.2R3-S7, 21.4R3-S5, 22.1R3-S4, 22.2R3-S2, 22.3R3-S1, 22.4R3, 23.2R2, and later, with equivalent Junos OS Evolved releases (-EVO suffix). Refer to the Juniper Support Advisory JSA79094 for the complete remediated version matrix and download links.
Workarounds
- Disable EVPN configuration on devices where it is not operationally required
- Apply strict BGP import policies on EVPN address-family sessions to reject malformed or unexpected type-5 NLRI
- Use BGP TCP-AO or MD5 authentication and infrastructure ACLs to limit BGP peering to known endpoints
- Place untrusted EVPN peers behind a route reflector running a patched release that filters before reflection
# Example: restrict EVPN type-5 acceptance via import policy (Junos CLI)
set policy-options policy-statement EVPN-IN term reject-type5 from family evpn nlri-route-type 5
set policy-options policy-statement EVPN-IN term reject-type5 then reject
set protocols bgp group EVPN-PEERS family evpn signaling import EVPN-IN
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
