Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-39547

CVE-2024-39547: Juniper cRPD DoS Vulnerability

CVE-2024-39547 is a denial of service vulnerability in Juniper Networks cRPD that allows attackers to cause CPU-based DoS via crafted TCP traffic. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-39547 Overview

CVE-2024-39547 is an Improper Handling of Exceptional Conditions vulnerability [CWE-755] in the rpd-server component of the Containerized Routing Protocol Daemon (cRPD) shipped with Juniper Networks Junos OS and Junos OS Evolved. An unauthenticated, network-based attacker can send crafted TCP traffic to the routing engine (RE) or cause a TCP session to terminate unexpectedly. This triggers sustained high CPU utilization in the rpd-server process, resulting in a denial of service against control plane operations. The impact is amplified when Routing Information Base (RIB) sharding is enabled, where task accounting reveals unexpected reads by RPD Server jobs for shards.

Critical Impact

Remote unauthenticated attackers can degrade routing engine availability across affected Junos OS and Junos OS Evolved deployments running cRPD, disrupting routing protocol operations on the control plane.

Affected Products

  • Juniper Networks Junos OS with cRPD (versions before 21.2R3-S8, 21.4R3-S7, 22.1R3-S6, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S2, 24.2R2)
  • Juniper Networks Junos OS Evolved with cRPD (versions before 21.4R3-S7-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S2-EVO, 23.2R2-EVO)
  • Juniper Containerized Routing Protocol Daemon (cRPD)

Discovery Timeline

  • 2024-10-11 - CVE-2024-39547 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2024-39547

Vulnerability Analysis

The vulnerability resides in the rpd-server process inside Juniper's Containerized Routing Protocol Daemon (cRPD), which handles TCP communication with routing engine clients. When the server receives malformed TCP traffic or experiences an abrupt session termination, it fails to handle the exceptional condition gracefully. Instead of cleaning up the session state, the process enters a loop of repeated read operations against the affected socket descriptors.

Over time, this behavior consumes increasing amounts of control plane CPU. The condition compounds in deployments that have RIB sharding enabled, because multiple shard processes can each experience the same accumulating workload. The result is degradation of routing protocol convergence and broader control plane responsiveness.

Root Cause

The defect maps to CWE-755: Improper Handling of Exceptional Conditions. The rpd-server does not correctly process abnormal TCP socket events, including premature disconnects or crafted packets. Without proper exception handling, the daemon repeatedly attempts to read from sockets that should have been closed. Task accounting confirms the pattern through entries showing very high RUNS counts for RPD Server read jobs, with total CPU time accumulating against specific peer endpoints.

Attack Vector

Exploitation requires only network reachability to the routing engine's TCP service exposed by cRPD. No authentication is needed, and no user interaction is required. An attacker who can deliver TCP traffic to the control plane interface can trigger the condition by sending crafted packets or by intentionally tearing down established TCP sessions. The vulnerability does not directly compromise confidentiality or integrity, but availability of routing functions is impacted.

No public proof-of-concept exploit and no CISA KEV listing exists for this CVE. EPSS data indicates a low probability of exploitation in the immediate term, though network-reachable control planes warrant prioritized remediation regardless of EPSS posture.

Detection Methods for CVE-2024-39547

Indicators of Compromise

  • Elevated control plane CPU utilization attributed to the rpd-server process without a corresponding increase in routing churn.
  • Task accounting entries showing high RUNS counts for read:RPD Server jobs tied to specific peer IP/port tuples, visible via show task accounting detail.
  • Repeated TCP connection resets or abnormal session terminations directed at the routing engine from external sources.

Detection Strategies

  • Baseline normal rpd-server CPU consumption per platform and alert on sustained deviation, particularly on devices with RIB sharding enabled.
  • Periodically collect show task accounting detail output and parse for RPD Server read jobs with disproportionate runtime accumulation.
  • Correlate control plane CPU spikes with TCP flow telemetry from network sensors to identify suspicious sources targeting the routing engine.

Monitoring Recommendations

  • Forward Junos syslog, SNMP CPU counters, and task accounting outputs to a centralized analytics platform for trend analysis.
  • Track TCP session establishment and teardown rates against the routing engine management and protocol ports.
  • Configure alerts for rpd and rpd-server resource thresholds that exceed operational baselines for more than a brief sampling window.

How to Mitigate CVE-2024-39547

Immediate Actions Required

  • Identify all devices running Junos OS or Junos OS Evolved with cRPD and inventory the running release against the fixed versions listed in JSA88108.
  • Restrict TCP access to the routing engine using infrastructure ACLs or firewall filters so that only trusted management and peering sources can reach control plane services.
  • Where feasible, disable RIB sharding on affected devices until patches can be applied, reducing the severity of any triggered condition.

Patch Information

Juniper Networks has released fixed software in Junos OS versions 21.2R3-S8, 21.4R3-S7, 22.1R3-S6, 22.2R3-S4, 22.3R3-S3, 22.4R3-S2, 23.2R2-S2, 24.2R2 and subsequent releases. Junos OS Evolved fixes are available in 21.4R3-S7-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S2-EVO, 23.2R2-EVO and later. Refer to the Juniper Security Advisory JSA88108 for full version guidance and download links.

Workarounds

  • Apply loopback firewall filters that limit TCP traffic destined for the routing engine to authorized peers and management hosts.
  • Use BGP authentication, GTSM, and TCP-AO where applicable to reduce the surface available to unauthenticated TCP probes.
  • Monitor show task accounting detail regularly and restart the rpd process during a maintenance window if abnormal CPU growth is observed prior to patching.
bash
# Example loopback filter restricting TCP access to the RE to trusted hosts
set firewall family inet filter PROTECT-RE term ALLOW-TRUSTED from source-address 192.0.2.0/24
set firewall family inet filter PROTECT-RE term ALLOW-TRUSTED from protocol tcp
set firewall family inet filter PROTECT-RE term ALLOW-TRUSTED then accept
set firewall family inet filter PROTECT-RE term DENY-OTHER-TCP from protocol tcp
set firewall family inet filter PROTECT-RE term DENY-OTHER-TCP then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne