CVE-2024-39549 Overview
CVE-2024-39549 is a Memory Leak vulnerability in the routing process daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved. The vulnerability exists due to a Missing Release of Memory after Effective Lifetime condition that allows an attacker to send malformed BGP Path attribute updates to affected devices. When these malformed updates are processed, memory is allocated to log the bad path attribute but is not properly freed in all circumstances, ultimately leading to a Denial of Service (DoS) condition.
This vulnerability is particularly concerning for organizations running BGP in their network infrastructure, as it can be exploited remotely without authentication. The memory exhaustion can cause routing instability and potential network outages across enterprise and service provider environments.
Critical Impact
Remote attackers can cause Denial of Service by exhausting memory on Juniper routing devices through malformed BGP Path attribute updates, potentially disrupting network routing infrastructure.
Affected Products
- Juniper Junos OS (all versions before 21.2R3-S8, from 21.4 before 21.4R3-S8, from 22.2 before 22.2R3-S4, from 22.3 before 22.3R3-S3, from 22.4 before 22.4R3-S3, from 23.2 before 23.2R2-S1, from 23.4 before 23.4R1-S2/23.4R2)
- Juniper Junos OS Evolved (all versions before 21.2R3-S8-EVO, from 21.4 before 21.4R3-S8-EVO, from 22.2 before 22.2R3-S4-EVO, from 22.3 before 22.3R3-S3-EVO, from 22.4 before 22.4R3-S3-EVO, from 23.2 before 23.2R2-S1-EVO, from 23.4 before 23.4R1-S2-EVO/23.4R2-EVO)
Discovery Timeline
- July 11, 2024 - CVE-2024-39549 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2024-39549
Vulnerability Analysis
This vulnerability is classified as CWE-401: Missing Release of Memory after Effective Lifetime. The flaw resides in the routing process daemon (rpd), which is responsible for managing routing protocols including BGP on Juniper devices. When the rpd receives a malformed BGP Path attribute in an UPDATE message, it allocates memory to log information about the invalid attribute for diagnostic purposes. However, the code path responsible for handling these error conditions fails to properly release the allocated memory in certain scenarios.
The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction. An attacker with the ability to send BGP messages to an affected device can continuously send malformed Path attribute updates, causing progressive memory consumption on the target system.
Root Cause
The root cause is improper memory management within the rpd process when handling malformed BGP Path attributes. Specifically, memory buffers allocated for logging bad path attributes are not consistently deallocated after use. This creates a classic memory leak scenario where each malformed BGP update consumes additional memory that is never returned to the system's available memory pool.
The memory leak occurs because the error handling routines that process invalid BGP attributes allocate logging buffers but lack corresponding deallocation calls in all code paths. Over time, this leads to memory exhaustion on the device.
Attack Vector
The attack is network-based and targets the BGP protocol implementation. An attacker can exploit this vulnerability by establishing or attempting to establish a BGP session with the target device and sending specially crafted BGP UPDATE messages containing malformed Path attributes. The attack does not require the BGP session to be fully established, as the vulnerability is triggered during path attribute parsing.
The exploitation mechanism involves repeatedly sending BGP UPDATE messages with intentionally malformed path attributes to trigger the logging code path and cause memory allocation without proper cleanup. This attack can be sustained over time to gradually exhaust available system memory.
Detection Methods for CVE-2024-39549
Indicators of Compromise
- Unusually high memory utilization on Juniper routing devices, particularly in the rpd process
- System logs showing repeated entries related to malformed BGP Path attributes
- BGP session instability or unexpected session resets
- Gradual degradation of routing performance over time
Detection Strategies
- Monitor system memory using the command show system memory to identify abnormal memory consumption patterns
- Use show system monitor memory status to track real-time memory utilization trends
- Implement alerting for rpd process memory consumption exceeding baseline thresholds
- Review BGP session logs for patterns of malformed attribute processing
Monitoring Recommendations
- Configure SNMP traps or syslog alerts for memory utilization thresholds on routing devices
- Establish baseline memory consumption metrics for the rpd process under normal operation
- Implement network monitoring to detect unusual BGP traffic patterns from untrusted sources
- Deploy SentinelOne Singularity platform to monitor network device health and detect anomalous behavior patterns
How to Mitigate CVE-2024-39549
Immediate Actions Required
- Identify all Juniper Junos OS and Junos OS Evolved devices in your environment running affected versions
- Prioritize patching for devices with BGP peering sessions exposed to untrusted networks
- Review BGP peering configurations and ensure sessions are only established with trusted peers
- Implement BGP prefix filtering and route policies to limit exposure
- Monitor memory utilization on affected devices pending patch deployment
Patch Information
Juniper Networks has released security patches to address this vulnerability. Organizations should upgrade to the following fixed versions:
Junos OS:21.2R3-S8, 21.4R3-S8, 22.2R3-S4, 22.3R3-S3, 22.4R3-S3, 23.2R2-S1, 23.4R1-S2, or 23.4R2
Junos OS Evolved:21.2R3-S8-EVO, 21.4R3-S8-EVO, 22.2R3-S4-EVO, 22.3R3-S3-EVO, 22.4R3-S3-EVO, 23.2R2-S1-EVO, 23.4R1-S2-EVO, or 23.4R2-EVO
For detailed patch information and download links, refer to the Juniper Security Advisory JSA83011.
Workarounds
- If patching is not immediately possible, manually restart the Routing Protocol Daemon (rpd) to free consumed memory as a temporary measure
- Implement strict BGP peer authentication using MD5 or TCP-AO to prevent unauthorized BGP sessions
- Configure BGP maximum-prefix limits to help mitigate the impact of sustained attacks
- Consider implementing BGP TTL Security (GTSM) to reject BGP packets with unexpected TTL values
# Monitor memory utilization on Juniper devices
show system memory
show system monitor memory status
# Restart rpd to recover memory (temporary workaround)
restart routing immediately
# Configure BGP authentication (recommended hardening)
set protocols bgp group <group-name> authentication-key <key>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
