Juniper Networks reports maximum severity authentication bypass vulnerability
Learn More
Juniper Networks has released an urgent update to address a critical vulnerability which affects its Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products.
The vulnerability, tracked as CVE-2024-2973 (CVSS score 10) allows for an authentication bypass using an alternate path or channel, potentially giving an attacker full control of the device.
The flaw impacts routers or conductors running in high-availability redundant configurations, which are often used in critical network infrastructure to ensure service continuity. An attacker exploiting this flaw can bypass authentication, gaining full control of the device.
- Session Smart Router & Conductor:
- All versions before 5.6.15
- From 6.0 before 6.1.9-lts
- From 6.2 before 6.2.5-sts
- WAN Assurance Router:
- 6.0 versions before 6.1.9-lts
- 6.2 versions before 6.2.5-sts
No workarounds are available; the only mitigation is to upgrade to the fixed versions.
Juniper has released patched versions 5.6.15, 6.1.9-lts, and 6.2.5-sts. WAN Assurance Router is automatically patched when connected to the Mist Cloud. Administrators of high-availability clusters need to upgrade to SSR-6.1.9 or SSR-6.2.5.
Upgrading Conductor nodes will automatically apply the fix to connected routers, though it is recommended to also upgrade the routers to the latest versions.
Per statements from Juniper, the fix implementation is designed to be minimally disruptive, causing approximately 30 seconds of downtime for web-based management and APIs.
