CVE-2024-39562: Juniper Junos OS Evolved DoS Vulnerability

CVE-2024-39562 Overview

CVE-2024-39562 is a Missing Release of Resource after Effective Lifetime vulnerability [CWE-772] affecting the xinetd process in Juniper Networks Junos OS Evolved. The xinetd process is responsible for spawning SSH daemon (sshd) instances on the device. An unauthenticated, network-based attacker can trigger the flaw by sending a high rate of concurrent SSH requests that terminate in a specific way. This causes xinetd to crash and leaves defunct sshd processes on the system. Successful exploitation blocks SSH access and any services that depend on SSH, including SFTP and NETCONF over SSH.

Critical Impact

Sustained denial of service against SSH, SFTP, and NETCONF over SSH on Junos OS Evolved devices, requiring manual service restoration before legitimate administrators can regain remote access.

Affected Products

• Juniper Networks Junos OS Evolved: all versions prior to 21.4R3-S7-EVO
• Juniper Networks Junos OS Evolved 22.3-EVO: versions prior to 22.3R2-S2-EVO and 22.3R3-S2-EVO
• Juniper Networks Junos OS Evolved 22.4-EVO: versions prior to 22.4R3-EVO, and 23.2-EVO versions prior to 23.2R2-EVO

Discovery Timeline

• 2024-07-10 - CVE-2024-39562 published to NVD by Juniper Networks (advisory JSA75724)
• 2025-02-07 - Last updated in NVD database

Technical Details for CVE-2024-39562

Vulnerability Analysis

The vulnerability resides in the xinetd super-server process that listens for inbound SSH connections and spawns dedicated sshd child processes to handle them. When a flood of concurrent SSH connection attempts terminates in a particular manner, xinetd fails to release child process resources correctly. The crash of xinetd leaves orphaned sshd processes in a defunct (zombie) state. Once xinetd is no longer accepting connections, the device cannot establish new SSH sessions. Any management plane service that tunnels over SSH, including SFTP and NETCONF over SSH, becomes unreachable until the device is manually remediated.

Root Cause

The root cause is improper resource cleanup in xinetd after SSH child process lifetimes have ended. The process does not reap terminated child processes correctly under specific termination conditions. This results in accumulating defunct sshd entries and an eventual crash of the parent process. The defect is categorized as [CWE-772] Missing Release of Resource after Effective Lifetime.

Attack Vector

Exploitation requires only network reachability to the SSH service on the targeted Junos OS Evolved device. No authentication or user interaction is needed. An attacker sends a high rate of SSH connections and terminates them in the specific pattern that triggers the resource leak. Continued connection floods sustain the denial of service condition. The attack does not compromise confidentiality or integrity, only availability of SSH and SSH-dependent services.

No public proof-of-concept code or in-the-wild exploitation has been reported for CVE-2024-39562. See the Juniper Security Advisory JSA75724 for vendor technical details.

Detection Methods for CVE-2024-39562

Indicators of Compromise

• Accumulating defunct sshd entries visible via the CLI command show system processes | match sshd, with output similar to root 25219 30901 0 Jul16 ? 00:00:00 [sshd] <defunct>
• New SSH sessions fail to establish while existing sessions remain functional
• SFTP transfers and NETCONF over SSH sessions to the device begin failing simultaneously
• Abnormal spike in inbound TCP/22 connection attempts followed by abrupt RST or FIN sequences

Detection Strategies

• Monitor the count of sshd processes in <defunct> state and alert when the count exceeds a baseline threshold
• Correlate device-side SSH unavailability with network telemetry showing bursts of short-lived TCP/22 sessions from external sources
• Track xinetd process restarts or crashes via system logs on Junos OS Evolved

Monitoring Recommendations

• Periodically poll show system processes | match sshd through automation and pipe results into a SIEM for trending
• Forward syslog from Junos OS Evolved devices to a centralized log platform and alert on xinetd termination messages
• Baseline the rate of SSH connections to management interfaces and trigger alerts on sustained anomalous spikes

How to Mitigate CVE-2024-39562

Immediate Actions Required

• Upgrade Junos OS Evolved to a fixed release: 21.4R3-S7-EVO, 22.3R2-S2-EVO, 22.3R3-S2-EVO, 22.4R3-EVO, 23.2R2-EVO, or later
• Restrict SSH access to management interfaces using firewall filters that only permit trusted administrative source addresses
• If the device is currently in the impacted state, manually restart SSH services or reboot the device to clear defunct sshd processes

Patch Information

Juniper Networks has released fixed software addressing CVE-2024-39562. Refer to Juniper Security Advisory JSA75724 for the complete list of fixed releases and upgrade guidance. The issue does not affect Junos OS Evolved 22.1-EVO or 22.2-EVO.

Workarounds

• Apply firewall filters (loopback or interface ACLs) to limit inbound SSH connections to known administrator IP ranges
• Rate-limit inbound TCP/22 traffic at upstream network devices to reduce the feasibility of high-rate connection floods
• Maintain out-of-band console access so administrators can recover management connectivity if SSH becomes unavailable

# Example: restrict SSH access on Junos OS Evolved using a firewall filter
set firewall family inet filter PROTECT-RE term ALLOW-SSH from source-address 198.51.100.0/24
set firewall family inet filter PROTECT-RE term ALLOW-SSH from protocol tcp
set firewall family inet filter PROTECT-RE term ALLOW-SSH from destination-port 22
set firewall family inet filter PROTECT-RE term ALLOW-SSH then accept
set firewall family inet filter PROTECT-RE term BLOCK-SSH from protocol tcp
set firewall family inet filter PROTECT-RE term BLOCK-SSH from destination-port 22
set firewall family inet filter PROTECT-RE term BLOCK-SSH then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
commit