CVE-2024-30405 Overview
CVE-2024-30405 is an Incorrect Calculation of Buffer Size vulnerability [CWE-131] in Juniper Networks Junos OS running on SRX 5000 Series devices equipped with SPC2 line cards. When Application Layer Gateways (ALGs) are enabled, an unauthenticated remote attacker can send specifically crafted packets that cause a transit traffic Denial of Service (DoS). Continued receipt of these packets sustains the outage. Juniper published the issue in advisory JSA79105 on April 12, 2024, and assigned it a CVSS v4.0 score of 8.7.
Critical Impact
Unauthenticated attackers can disrupt transit traffic on SRX 5400, SRX 5600, and SRX 5800 firewalls with SPC2 cards, sustaining a Denial of Service as long as malicious packets continue arriving.
Affected Products
- Juniper Networks Junos OS on SRX 5400 with SPC2 line cards and ALGs enabled
- Juniper Networks Junos OS on SRX 5600 with SPC2 line cards and ALGs enabled
- Juniper Networks Junos OS on SRX 5800 with SPC2 line cards and ALGs enabled
Discovery Timeline
- 2024-04-12 - CVE-2024-30405 published to NVD and Juniper releases advisory JSA79105 with fixed versions
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2024-30405
Vulnerability Analysis
The flaw resides in the packet processing path of SPC2 (Services Processing Card, second generation) line cards on SRX 5000 Series chassis. Application Layer Gateway (ALG) modules inspect protocol payloads such as FTP, SIP, and DNS to dynamically open pinhole sessions. When ALG inspection runs against specific crafted packets, the code incorrectly calculates the size of a buffer used during payload handling. The result is a memory management fault that interrupts transit traffic processing on the affected card. Because the trigger occurs on protocol-level parsing, no authentication or user interaction is required, and exploitation can be performed remotely across the network path the firewall services.
Root Cause
The root cause is classified under [CWE-131] Incorrect Calculation of Buffer Size. The ALG parser allocates or operates on buffers using a length value that does not match the actual data, producing inconsistent state inside the SPC2 forwarding engine. Repeated triggering keeps the data plane in a degraded state.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends crafted packets that traverse the SRX device and match an ALG-inspected protocol. Sustained delivery of such packets sustains the DoS condition against transit traffic.
No verified public exploit code is available for CVE-2024-30405.
Refer to Juniper advisory JSA79105 for protocol-level details.
Detection Methods for CVE-2024-30405
Indicators of Compromise
- Unexplained drops in transit traffic throughput on SRX 5400, SRX 5600, or SRX 5800 chassis using SPC2 cards
- SPC2 services PIC restarts, ALG-related crash logs, or flowd process anomalies in show log messages
- Spikes in malformed or atypical ALG-protocol traffic (FTP, SIP, H.323, DNS, RTSP) preceding the disruption
Detection Strategies
- Inventory all SRX 5000 Series devices and identify those running SPC2 line cards with ALGs enabled via show chassis hardware and show security alg status.
- Correlate Junos syslog events for ALG module errors or services PIC reboots with NetFlow/IPFIX data to identify the originating traffic source.
- Compare the running Junos version against the fixed releases in JSA79105 to flag vulnerable devices.
Monitoring Recommendations
- Forward Junos syslog and SNMP traps to a centralized analytics platform for alerting on SPC2 and ALG faults.
- Baseline ALG session counts and packet rates so deviations consistent with crafted-packet floods generate alerts.
- Monitor transit traffic latency and drop counters per services PIC to detect early signs of degradation.
How to Mitigate CVE-2024-30405
Immediate Actions Required
- Upgrade Junos OS to a fixed release: 21.2R3-S7, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R2, or later per Juniper Security Advisory JSA79105.
- If patching cannot be completed immediately, disable ALGs that are not strictly required for business traffic.
- Restrict and rate-limit untrusted traffic that traverses the SRX so unknown sources cannot reach ALG-inspected protocols.
Patch Information
Juniper Networks addressed CVE-2024-30405 in Junos OS releases 21.2R3-S7, 21.4R3-S6, 22.1R3-S5, 22.2R3-S3, 22.3R3-S2, 22.4R3, 23.2R2, and all subsequent versions. Full remediation details are published in Juniper Security Advisory JSA79105.
Workarounds
- Disable the specific ALGs that are not required using set security alg <protocol> disable to remove the vulnerable code path from inspection.
- Apply firewall filters or stateless policies to block or rate-limit untrusted sources from sending ALG-inspected protocols across the SRX.
- Segment management and transit paths to limit which networks can deliver crafted packets to the SPC2 inspection engine.
# Example: disable non-essential ALGs on SRX while planning the upgrade
configure
set security alg ftp disable
set security alg sip disable
set security alg h323 disable
set security alg rtsp disable
commit comment "Mitigation for CVE-2024-30405 per JSA79105"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
