CVE-2024-47502: Juniper Junos OS Evolved DoS Vulnerability

CVE-2024-47502 Overview

CVE-2024-47502 is a resource exhaustion vulnerability in the kernel of Juniper Networks Junos OS Evolved. The flaw allows an unauthenticated, network-based attacker to trigger a Denial of Service (DoS) condition against the routing engine (RE). Terminated TCP sessions are not properly cleared from kernel state, causing connection resources to accumulate until new control-plane connections can no longer be established. The issue affects only IPv4 TCP sessions established in-band over an FPC interface, not IPv6 or out-of-band management traffic. Recovery requires a manual restart of the affected RE. The vulnerability is classified under [CWE-770] Allocation of Resources Without Limits or Throttling.

Critical Impact

Unauthenticated remote attackers can exhaust kernel TCP session resources on the routing engine, preventing new control-plane connections and disrupting device manageability until manual RE restart.

Affected Products

• Juniper Junos OS Evolved: all versions before 21.4R3-S9-EVO
• Juniper Junos OS Evolved: 22.2 versions before 22.2R3-S4-EVO, 22.4 versions before 22.4R3-S3-EVO
• Juniper Junos OS Evolved: 23.2 versions before 23.2R2-S1-EVO, 23.4 versions before 23.4R2-EVO

Discovery Timeline

• 2024-10-11 - CVE-2024-47502 published to NVD
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2024-47502

Vulnerability Analysis

The vulnerability resides in the Junos OS Evolved kernel's handling of TCP session state. When in-band TCP sessions terminate under specific conditions, the kernel fails to release the associated session state. Over time, these residual entries accumulate and consume finite kernel resources reserved for TCP connection tracking on the routing engine.

Operators can observe the issue by running show system connections and noting a continuously increasing connection count. Once resources are exhausted, the control plane refuses new TCP connections. This impairs management protocols, routing protocol adjacencies that rely on TCP (such as BGP), and any other in-band service terminating on the RE. The defect impacts availability only; confidentiality and integrity are not affected.

Root Cause

The root cause is improper cleanup of TCP control blocks for terminated IPv4 sessions established over FPC interfaces. The kernel lacks throttling or bounded allocation for these session structures, satisfying the conditions of [CWE-770]. The IPv6 stack and the management Ethernet path on the RE use separate code paths that are not affected.

Attack Vector

An unauthenticated remote attacker repeatedly opens and terminates IPv4 TCP connections to any service exposed on an in-band interface of the device. No authentication, user interaction, or special privileges are required. Each terminated session leaks state, and sustained connection churn eventually exhausts the kernel's connection table. The attack does not require crafted packets — standard TCP session establishment and teardown over IPv4 is sufficient.

No public proof-of-concept code or verified exploit details are available. Refer to the Juniper Security Advisory JSA88132 for vendor-supplied technical context.

Detection Methods for CVE-2024-47502

Indicators of Compromise

• A continuously increasing connection count returned by show system connections on the routing engine, without a corresponding increase in legitimate sessions.
• Failures to establish new TCP-based control-plane sessions (SSH, NETCONF, BGP) while existing sessions remain intact.
• RE recovery only after a manual restart, with the connection count resetting after reboot.

Detection Strategies

• Periodically poll show system connections via NETCONF or SNMP and alert on monotonic growth trends that exceed baseline.
• Correlate management-plane connection failures with elevated TCP session counts on affected REs.
• Track inbound IPv4 TCP connection rates on in-band (FPC) interfaces to identify abnormal churn from external sources.

Monitoring Recommendations

• Establish a baseline for normal show system connections values per platform and alarm on deviations.
• Forward Junos OS Evolved syslog and operational telemetry to a centralized analytics platform for trend analysis.
• Monitor BGP and other TCP-based routing protocol session flaps that may signal early resource pressure on the RE.

How to Mitigate CVE-2024-47502

Immediate Actions Required

• Upgrade to a fixed Junos OS Evolved release: 21.4R3-S9-EVO, 22.2R3-S4-EVO, 22.4R3-S3-EVO, 23.2R2-S1-EVO, 23.4R2-EVO, or later.
• Restrict in-band access to control-plane TCP services to trusted source prefixes using firewall filters and loopback policies.
• Monitor show system connections and plan a maintenance window to manually restart any RE showing sustained connection growth.

Patch Information

Juniper has released fixed versions addressing this vulnerability. Consult the Juniper Security Advisory JSA88132 for the complete list of fixed releases and platform applicability before upgrading.

Workarounds

• Apply loopback firewall filters that permit IPv4 TCP traffic to control-plane services only from known management networks.
• Where operationally feasible, terminate management and routing-protocol sessions over the out-of-band management Ethernet port, which is not affected.
• Implement infrastructure ACLs (iACLs) at network edges to limit unsolicited IPv4 TCP traffic reaching device control planes.

# Example loopback filter to restrict control-plane TCP access (illustrative)
set firewall family inet filter PROTECT-RE term TRUSTED-MGMT from source-prefix-list TRUSTED-MGMT-PREFIXES
set firewall family inet filter PROTECT-RE term TRUSTED-MGMT from protocol tcp
set firewall family inet filter PROTECT-RE term TRUSTED-MGMT then accept
set firewall family inet filter PROTECT-RE term DENY-OTHER-TCP from protocol tcp
set firewall family inet filter PROTECT-RE term DENY-OTHER-TCP then discard
set interfaces lo0 unit 0 family inet filter input PROTECT-RE