CVE-2024-39545: Juniper Junos IKE Daemon DoS Vulnerability

CVE-2024-39545 Overview

CVE-2024-39545 is a high-severity Denial of Service (DoS) vulnerability in the Internet Key Exchange daemon (iked) of Juniper Networks Junos OS. The flaw affects SRX Series, MX Series with SPC3, and NFX350 platforms. An unauthenticated, network-based attacker can send specific mismatching parameters during IPsec negotiation to crash the iked process. The vulnerability is classified as an Improper Check for Unusual or Exceptional Conditions weakness [CWE-754]. Successful exploitation disrupts VPN services and IPsec tunnel establishment on affected devices.

Critical Impact
Unauthenticated remote attackers can repeatedly crash the IKE daemon, causing sustained outage of IPsec VPN services on perimeter and core network devices.

Affected Products

Juniper Junos OS on SRX Series (SRX300, SRX320, SRX340, SRX345, SRX380, SRX1500, SRX1600, SRX2300, SRX4100, SRX4120, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800)
Juniper Junos OS on MX Series with SPC3 (MX204, MX240, MX304, MX480, MX960, MX2008, MX2010, MX2020, MX10004, MX10008)
Juniper NFX350

Discovery Timeline

2024-07-11 - CVE-2024-39545 published to NVD
2024-07-11 - Juniper publishes Security Advisory JSA83007
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-39545

Vulnerability Analysis

The vulnerability resides in the iked process responsible for IKEv1 and IKEv2 negotiation on Junos OS devices using the SPC3 services card, SRX Series firewalls, and NFX350 platforms. The daemon fails to properly validate certain mismatched parameter combinations exchanged during the IPsec negotiation phase. When the daemon encounters these exceptional conditions, it terminates unexpectedly instead of gracefully rejecting the malformed exchange.

Because iked handles all IPsec tunnel signaling, its crash interrupts existing tunnel maintenance and prevents new tunnel establishment. Repeated exploitation produces a sustained denial of service against VPN connectivity. The issue is exposed on any interface where iked listens for IKE traffic (UDP/500 and UDP/4500).

Root Cause

The root cause is an improper check for unusual or exceptional conditions [CWE-754] in the IKE negotiation handler. The daemon assumes consistency across negotiated parameters and does not defensively handle specific mismatched value combinations submitted by a peer. Encountering this state triggers an unhandled error path that terminates the process.

Attack Vector

Exploitation requires no authentication and no user interaction. An attacker capable of reaching the IKE service over the network sends crafted IKE messages containing the specific mismatching parameters. Because IKE is commonly exposed on internet-facing interfaces for site-to-site and remote-access VPN, the attack surface is broad. See the Juniper Security Advisory JSA83007 for the full list of fixed releases.

No public proof-of-concept code is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2024-39545

Indicators of Compromise

Unexpected termination or repeated restart of the iked process recorded in /var/log/messages or chassis logs.
IPsec security associations dropping simultaneously across multiple peers without a corresponding configuration change.
Surges of malformed or asymmetric IKE_SA_INIT or IKE_AUTH exchanges from a single source on UDP/500 or UDP/4500.

Detection Strategies

Monitor Junos syslog facilities for iked crash messages, core dump generation, and daemon respawn events.
Correlate IKE negotiation failures with packet captures on the IKE listener to identify mismatched parameter sets.
Track SNMP and telemetry counters for IPsec tunnel flaps that coincide with iked process restarts.

Monitoring Recommendations

Forward Junos iked and chassisd logs to a centralized SIEM and alert on daemon termination events.
Baseline normal IKE traffic volume per peer and alert on anomalous spikes from untrusted sources.
Apply network ACLs and inspect netflow data for unsolicited IKE traffic reaching VPN endpoints.

How to Mitigate CVE-2024-39545

Immediate Actions Required

Identify all SRX Series, MX Series with SPC3, and NFX350 devices running affected Junos OS versions.
Upgrade to a fixed Junos OS release as listed in Juniper Security Advisory JSA83007.
Restrict IKE traffic (UDP/500 and UDP/4500) to known VPN peers using firewall filters where operationally feasible.
Enable logging on the iked daemon and review for prior crash events that may indicate exploitation attempts.

Patch Information

Juniper has released fixed Junos OS versions addressing CVE-2024-39545. Upgrade to Junos OS 21.2R3-S8, 21.4R3-S7, 22.1R3-S2, 22.2R3-S1, 22.3R2-S1 or 22.3R3, 22.4R1-S2, 22.4R2, 22.4R3, or any later release. Refer to the Juniper Security Advisory JSA83007 for the authoritative version matrix.

Workarounds

No software workaround eliminates the underlying flaw; patching is required.
Apply firewall filters on the loopback interface to permit IKE traffic only from trusted VPN peer addresses.
Where IPsec is not in use on a given platform, disable the iked service to remove exposure.

bash

# Example Junos firewall filter restricting IKE to known peers
set firewall family inet filter PROTECT-IKE term allow-ike from source-address 198.51.100.10/32
set firewall family inet filter PROTECT-IKE term allow-ike from destination-port [ 500 4500 ]
set firewall family inet filter PROTECT-IKE term allow-ike then accept
set firewall family inet filter PROTECT-IKE term block-ike from destination-port [ 500 4500 ]
set firewall family inet filter PROTECT-IKE term block-ike then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-IKE