CVE-2024-47504 Overview
CVE-2024-47504 is a denial of service vulnerability in the packet forwarding engine (pfe) of Juniper Networks Junos OS running on SRX5000 Series firewalls. An unauthenticated, network-based attacker can send a specifically malformed packet to a non-clustered SRX5000 device, causing the flowd process to crash and restart. The flaw is classified as Improper Validation of Specified Type of Input [CWE-1287] and affects multiple Junos OS release trains from 22.1 through 24.2. Repeated exploitation results in sustained service disruption to traffic processed by the affected firewall.
Critical Impact
An unauthenticated remote attacker can crash the flowd packet forwarding daemon on non-clustered SRX5400, SRX5600, and SRX5800 firewalls by sending a single malformed packet, disrupting traffic forwarding.
Affected Products
- Juniper Networks Junos OS on SRX5400
- Juniper Networks Junos OS on SRX5600
- Juniper Networks Junos OS on SRX5800
Discovery Timeline
- 2024-10-11 - CVE-2024-47504 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2024-47504
Vulnerability Analysis
The vulnerability resides in the packet forwarding engine (pfe) of Junos OS, specifically in the flowd daemon responsible for session and flow processing on SRX5000 Series platforms. When flowd receives a packet whose type-specific fields do not conform to the expected structure, the daemon fails to validate the input correctly and terminates. The platform restarts the process, but during the recovery interval, traffic traversing the firewall is dropped. An attacker can re-send the malformed packet to maintain a denial of service condition against the affected device.
Root Cause
The root cause is improper validation of a specified input type within flowd. The packet forwarding engine assumes specific field semantics in incoming packets without verifying that the supplied values conform to the declared type. Processing the mismatched data triggers a fatal error in flowd. Only non-clustered SRX5000 deployments are impacted, indicating the validation gap exists in a code path that chassis-cluster configurations do not exercise the same way.
Attack Vector
Exploitation requires only network reachability to the SRX5000 device. No authentication, user interaction, or privileges are needed. The attacker crafts a single malformed packet matching the vulnerable parser conditions and transmits it to the device. The flowd process crashes immediately upon parsing the malformed input. The advisory does not indicate active exploitation or public proof-of-concept code at the time of disclosure.
No verified proof-of-concept code is publicly available. Refer to the Juniper Security Advisory JSA88134 for vendor-supplied technical details.
Detection Methods for CVE-2024-47504
Indicators of Compromise
- Unexpected flowd process crashes or restarts recorded in chassisd and messages logs on SRX5400, SRX5600, or SRX5800 devices.
- Transient traffic drops or session table resets correlated with flowd restart events.
- Core files generated by flowd in /var/crash/ or /var/tmp/ on affected devices.
Detection Strategies
- Forward Junos syslog and RE/PFE event logs to a centralized SIEM and alert on repeated flowd restart messages within short time windows.
- Monitor SNMP traps for jnxFruOfflineNotification and PFE daemon state changes on SRX5000 chassis.
- Correlate unexpected session table flushes with inbound packet captures at upstream collection points to identify malformed packet sources.
Monitoring Recommendations
- Track show system processes extensive | match flowd output for unexpected process IDs indicating restarts.
- Enable and retain PFE trace logging to capture the conditions preceding daemon crashes for forensic review.
- Alert on traffic blackholing or sudden drops in session counts on SRX5000 firewalls.
How to Mitigate CVE-2024-47504
Immediate Actions Required
- Inventory all SRX5400, SRX5600, and SRX5800 devices and identify those running affected Junos OS versions 22.1, 22.3, 22.4, 23.2, 23.4, or 24.2.
- Apply the fixed Junos OS releases listed in Juniper Security Advisory JSA88134 as soon as a maintenance window permits.
- Restrict ingress traffic to SRX5000 management and transit interfaces using upstream ACLs where feasible until patches are deployed.
Patch Information
Juniper has released fixed software in Junos OS 22.2R3-S5, 22.3R3-S4, 22.4R3-S4, 23.2R2-S2, 23.4R2-S1, 24.2R1-S1, and 24.2R2. Customers should upgrade to one of these or later releases on affected SRX5000 Series platforms. Full upgrade guidance is documented in the Juniper Security Advisory JSA88134.
Workarounds
- Deploying the SRX5000 device in a chassis cluster configuration avoids the vulnerable code path, per the vendor advisory.
- Apply firewall filters on loopback and transit interfaces to drop traffic from untrusted sources before it reaches the packet forwarding engine.
- Implement strict edge filtering and BCP38-style anti-spoofing controls to reduce the attack surface for unauthenticated remote packets.
# Example: verify current Junos OS version and flowd status on SRX5000
show version | match Junos
show system processes extensive | match flowd
show chassis cluster status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
