CVE-2024-30397 Overview
CVE-2024-30397 is a denial-of-service vulnerability in the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS. The flaw stems from an improper check for unusual or exceptional conditions [CWE-754] during certificate verification. When verification fails, pkid consumes 100% of CPU resources and becomes unresponsive to subsequent verification requests. This breaks all VPN negotiations that rely on certificate-based authentication. An unauthenticated, network-based attacker can trigger the condition remotely without user interaction.
Critical Impact
A remote, unauthenticated attacker can exhaust pkid CPU resources, causing certificate verification failures that disrupt VPN negotiations and certificate-dependent services on affected Junos OS devices.
Affected Products
- Juniper Networks Junos OS — all versions prior to 20.4R3-S10
- Juniper Networks Junos OS — 21.2 versions prior to 21.2R3-S7, 21.4 versions prior to 21.4R3-S5, 22.1 versions prior to 22.1R3-S4
- Juniper Networks Junos OS — 22.2 versions prior to 22.2R3-S3, 22.3 versions prior to 22.3R3-S1, 22.4 versions prior to 22.4R3, 23.2 versions prior to 23.2R1-S2 and 23.2R2
Discovery Timeline
- 2024-04-12 - CVE-2024-30397 published to NVD
- 2025-02-26 - Last updated in NVD database
Technical Details for CVE-2024-30397
Vulnerability Analysis
The Public Key Infrastructure daemon (pkid) on Junos OS handles certificate verification operations supporting IPsec VPN and other PKI-dependent functions. The daemon fails to properly handle an unusual or exceptional condition encountered during a failed certificate verification. Instead of returning an error and releasing resources, pkid enters a state of sustained 100% CPU utilization on a single core. This resource exhaustion prevents the daemon from servicing any subsequent verification requests. As a result, VPN tunnels that depend on certificate-based authentication cannot establish or rekey, degrading availability of the device's secure connectivity services.
Root Cause
The root cause is tracked under CWE-754: Improper Check for Unusual or Exceptional Conditions. The pkid process does not adequately handle a specific error path during certificate validation, leading to a tight processing loop or unbounded retry behavior that monopolizes CPU. Once the condition is triggered, the daemon remains pinned at full CPU usage until intervention.
Attack Vector
The vulnerability is network-reachable and requires no authentication, no privileges, and no user interaction. An attacker submits a malformed or otherwise problematic certificate verification scenario to the targeted Junos OS device. After triggering the fault path, the operator can observe the daemon consuming all available CPU on its assigned core using the command show system processes extensive | match pkid, which displays output similar to 100.00% pkid. The vulnerability impacts availability only — confidentiality and integrity are not affected. Refer to the Juniper Security Advisory JSA79179 for vendor technical details.
Detection Methods for CVE-2024-30397
Indicators of Compromise
- Sustained 100% CPU utilization by the pkid process observable via show system processes extensive | match pkid
- Failed IPsec or SSL VPN negotiations that depend on certificate verification, with errors referencing PKI or certificate validation timeouts
- pkid becoming unresponsive to new verification requests while remaining present in the process list
Detection Strategies
- Monitor Junos OS process telemetry for pkid CPU consumption exceeding normal baselines, particularly sustained values at or near 100%
- Correlate VPN tunnel establishment failures with PKI subsystem health metrics to identify cascading impact
- Track certificate verification request volume and failure rates from external sources to detect probing or triggering attempts
Monitoring Recommendations
- Configure SNMP or streaming telemetry to alert on pkid CPU thresholds and process responsiveness
- Forward Junos OS syslog events related to PKI, IKE, and IPsec to a centralized log platform for correlation and historical analysis
- Periodically validate VPN endpoint reachability and successful rekey events as a functional health check for the PKI daemon
How to Mitigate CVE-2024-30397
Immediate Actions Required
- Upgrade affected Junos OS devices to a fixed release per Juniper Security Advisory JSA79179
- Restrict network access to PKI and IKE services using firewall filters and management plane access controls to limit exposure to untrusted sources
- If pkid is observed at 100% CPU, restart the daemon as a temporary recovery measure to restore certificate verification
Patch Information
Juniper Networks has released fixed versions: 20.4R3-S10, 21.2R3-S7, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R3, 23.2R1-S2, 23.2R2, and all subsequent releases. Operators should plan an upgrade to one of these or later versions. See the Juniper Security Advisory JSA79179 for the complete fixed-release matrix.
Workarounds
- Limit reachability of PKI-related services to trusted peers using stateless firewall filters and loopback lo0 filters
- Where feasible, prefer pre-shared key (PSK) authentication for IPsec peers as an interim alternative to certificate-based authentication
- Implement strict source-address policies on management and VPN ingress interfaces to reduce attack surface
# Example: restrict access to the routing engine via lo0 firewall filter
set firewall family inet filter PROTECT-RE term ALLOW-TRUSTED from source-address 192.0.2.0/24
set firewall family inet filter PROTECT-RE term ALLOW-TRUSTED then accept
set firewall family inet filter PROTECT-RE term DENY-OTHER then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
