CVE-2024-30398 Overview
CVE-2024-30398 is an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability [CWE-119] affecting the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX4600 devices. An unauthenticated, network-based attacker can trigger a Denial of Service (DoS) condition by sending a high volume of specific traffic to the device. The traffic causes a consistent rise in CPU memory utilization due to an error in internal packet handling. This results in packet drops and an eventual PFE crash. Restoring the device requires a manual PFE reboot. Juniper published security advisory JSA79176 to address the issue across multiple Junos OS release trains.
Critical Impact
Remote unauthenticated attackers can exhaust PFE memory on SRX4600 firewalls, causing sustained packet loss and forcing a manual reboot to restore service.
Affected Products
- Juniper Networks Junos OS on SRX4600 platforms
- Junos OS 21.2 before 21.2R3-S7, 21.4 before 21.4R3-S6, 22.1 before 22.1R3-S5
- Junos OS 22.2 before 22.2R3-S3, 22.3 before 22.3R3-S2, 22.4 before 22.4R3, 23.2 before 23.2R1-S2/23.2R2
Discovery Timeline
- 2024-04-12 - CVE-2024-30398 published to NVD
- 2025-02-06 - Last updated in NVD database
Technical Details for CVE-2024-30398
Vulnerability Analysis
The vulnerability resides in the Packet Forwarding Engine (PFE) of Junos OS running on Juniper SRX4600 next-generation firewalls. The PFE is the data-plane component responsible for high-speed packet processing, forwarding, and security service application. An error in internal packet handling causes memory associated with specific traffic patterns to accumulate rather than being released. Under sustained load with the triggering traffic, CPU memory utilization rises consistently until the PFE can no longer process traffic. The result is progressive packet drops followed by a complete PFE crash. The device does not auto-recover and requires a manual PFE reboot, extending operational impact beyond the duration of the attack.
Root Cause
The root cause is improper restriction of operations within a memory buffer [CWE-119] in PFE packet handling logic. Specific traffic patterns are not bounded correctly, allowing memory consumption to grow without effective release. This corresponds to a resource exhaustion DoS condition triggered through normal data-plane processing rather than control-plane access.
Attack Vector
Exploitation requires network access to the SRX4600 data plane but no authentication or user interaction. An attacker sends a sustained, high-rate stream of the specific traffic class that triggers the memory accounting flaw. As volume scales, PFE memory pressure increases, packet drops begin, and the PFE eventually crashes. No verified proof-of-concept code is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified public exploit code is available for CVE-2024-30398. Refer to the Juniper Security Advisory JSA79176 for vendor-supplied technical details.
Detection Methods for CVE-2024-30398
Indicators of Compromise
- Sustained, abnormal increase in PFE CPU memory utilization on SRX4600 devices that does not return to baseline.
- Increasing packet drop counters on data-plane interfaces correlated with elevated PFE memory.
- PFE crash events and pfe process restart messages in messages and chassisd logs.
- Loss of forwarding through the device requiring manual PFE restart to restore service.
Detection Strategies
- Monitor show chassis fpc and show pfe statistics traffic output for anomalous memory growth and queue drops.
- Alert on syslog events indicating PFE restarts, memory thresholds exceeded, or kernel: %PFE- warnings.
- Baseline normal traffic profiles destined to SRX4600 platforms and alert on sustained spikes of atypical flows.
Monitoring Recommendations
- Forward Junos syslog and SNMP traps to a centralized SIEM and create rules for PFE memory threshold breaches.
- Track interface drop and discard counters via streaming telemetry to detect early data-plane degradation.
- Correlate upstream NetFlow or sFlow records with PFE memory trends to identify the triggering traffic source.
How to Mitigate CVE-2024-30398
Immediate Actions Required
- Inventory all SRX4600 devices and identify those running affected Junos OS versions listed in JSA79176.
- Upgrade affected devices to fixed releases: 21.2R3-S7, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, or later.
- Restrict untrusted network paths to SRX4600 data-plane interfaces using upstream filtering and rate limits.
- Prepare operational runbooks for manual PFE reboot in case service degradation is observed.
Patch Information
Juniper Networks has released fixed software in security advisory Juniper Security Advisory JSA79176. Upgrade Junos OS on SRX4600 devices to 21.2R3-S7, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R1-S2, 23.2R2, or any subsequent release.
Workarounds
- No vendor-supplied workaround eliminates the issue; upgrading to a fixed release is the recommended remediation.
- Apply edge filtering and rate limiting on upstream devices to reduce exposure to high-volume triggering traffic.
- Use firewall filters and policers on SRX4600 ingress interfaces to constrain unexpected traffic patterns where operationally feasible.
# Verify current Junos OS version on SRX4600
show version | match Junos
# Example: install fixed Junos OS image and reboot
request system software add /var/tmp/junos-srxsme-23.2R2.tgz no-copy no-validate
request system reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
