Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39515

CVE-2024-39515: Juniper Junos BGP DoS Vulnerability

CVE-2024-39515 is a denial of service vulnerability in Juniper Junos OS and Junos OS Evolved affecting systems with BGP traceoptions enabled. Attackers can crash the routing daemon with malformed packets. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-39515 Overview

CVE-2024-39515 is a high-severity denial of service vulnerability affecting the routing protocol daemon (rpd) in Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated network-based attacker can send a specifically malformed BGP packet to crash and restart rpd, producing a sustained Denial of Service (DoS) condition. The flaw is classified under [CWE-1288] Improper Validation of Consistency within Input. Exploitation requires an established BGP session and BGP traceoptions enabled on the target. Both iBGP and eBGP, over IPv4 and IPv6, are affected. In some cases rpd fails to restart automatically, requiring a manual restart routing CLI invocation by an operator.

Critical Impact

Sustained crash of the routing protocol daemon disrupts BGP peering, withdraws routes, and can isolate network segments dependent on the affected router.

Affected Products

  • Juniper Junos OS: all versions before 21.4R3-S8, 22.2 before 22.2R3-S5, 22.3 before 22.3R3-S4, 22.4 before 22.4R3-S3, 23.2 before 23.2R2-S2, 23.4 before 23.4R2
  • Juniper Junos OS Evolved: all versions before 21.4R3-S8-EVO, 22.2-EVO before 22.2R3-S5-EVO, 22.3-EVO before 22.3R3-S4-EVO, 22.4-EVO before 22.4R3-S3-EVO
  • Juniper Junos OS Evolved: 23.2-EVO before 23.2R2-S2-EVO, 23.4-EVO before 23.4R2-EVO

Discovery Timeline

  • 2024-10-09 - CVE-2024-39515 published to NVD by Juniper SIRT
  • 2024-10-09 - Juniper publishes security advisory JSA88099
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39515

Vulnerability Analysis

The vulnerability resides in the BGP processing path of the rpd daemon, the central routing process in Junos OS and Junos OS Evolved. When BGP traceoptions are enabled, rpd performs additional logging and inspection of inbound BGP messages. A crafted BGP packet triggers an inconsistency check failure inside this code path, causing rpd to crash. Continued receipt of the malformed packet from the established peer reproduces the crash on each restart, yielding a sustained outage. Operators report that under certain conditions rpd does not return to a running state automatically and requires manual intervention via the restart routing command.

Root Cause

The root cause is improper validation of consistency within input ([CWE-1288]) in BGP message handling instrumented by traceoptions. The daemon assumes internal invariants about the parsed BGP message that the malformed packet violates. Because the consistency check fails after partial processing, rpd enters an unrecoverable state and terminates.

Attack Vector

Exploitation requires the attacker to control or compromise a BGP peer that already has an established session with the vulnerable device. The attacker then transmits the malformed BGP update through the existing session. No authentication beyond the established BGP relationship is required, and no user interaction is needed. Devices that do not have BGP traceoptions configured under [edit protocols bgp traceoptions] are not affected. See the Juniper CLI Reference for BGP traceoptions for configuration context.

No public proof-of-concept code is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical details on the malformed message structure have not been disclosed by Juniper.

Detection Methods for CVE-2024-39515

Indicators of Compromise

  • Unexpected rpd process crashes recorded in /var/log/messages or chassis logs, often accompanied by core files under /var/crash/.
  • BGP peer sessions cycling through EstablishedIdleActive states in show bgp summary output.
  • Routing table churn and BGP route withdrawals observed by neighboring devices immediately following crashes.
  • Operator-driven restart routing events appearing in command history when rpd fails to self-recover.

Detection Strategies

  • Audit Junos configurations for the presence of traceoptions under [edit protocols bgp] to identify exposed devices.
  • Correlate rpd restart events with inbound BGP message timestamps from each peer to localize the malicious source.
  • Capture BGP traffic on management or mirror interfaces and inspect for malformed UPDATE or OPEN messages preceding daemon crashes.

Monitoring Recommendations

  • Forward Junos syslog and BGP state telemetry to a centralized SIEM and alert on repeated rpd daemon termination events.
  • Monitor BGP session uptime and flap counters via SNMP or streaming telemetry, alerting on flaps from peers without prior change windows.
  • Track core file creation under /var/crash/ on routing engines and trigger investigation on any new rpd core.

How to Mitigate CVE-2024-39515

Immediate Actions Required

  • Identify all Junos OS and Junos OS Evolved devices with BGP traceoptions enabled and prioritize them for patching.
  • Upgrade to a fixed release listed in Juniper Security Advisory JSA88099: 21.4R3-S8, 22.2R3-S5, 22.3R3-S4, 22.4R3-S3, 23.2R2-S2, 23.4R2 or later, including the corresponding -EVO builds.
  • Validate BGP peer authentication and apply infrastructure ACLs that restrict TCP/179 to known peers only.

Patch Information

Juniper has released fixed software in Junos OS 21.4R3-S8, 22.2R3-S5, 22.3R3-S4, 22.4R3-S3, 23.2R2-S2, 23.4R2, and all subsequent releases. Equivalent Junos OS Evolved builds (21.4R3-S8-EVO through 23.4R2-EVO) contain the fix. Refer to Juniper Security Advisory JSA88099 for the authoritative list of fixed versions and PSIRT contact information.

Workarounds

  • Disable BGP traceoptions by removing the traceoptions stanza under [edit protocols bgp] until the device can be patched, since systems without BGP traceoptions are not affected.
  • Enforce strict BGP peer filters and prefix policies to limit which neighbors can establish sessions with the routing engine.
  • Apply BGP MD5 authentication or TCP-AO on all peering sessions to reduce the risk of session hijacking by an unauthorized peer.
bash
# Remove BGP traceoptions on Junos to eliminate the attack surface
configure
delete protocols bgp traceoptions
commit comment "Mitigate CVE-2024-39515 by disabling BGP traceoptions"
exit

# Verify traceoptions are no longer configured
show configuration protocols bgp | match traceoptions

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne