Juniper Networks has launched updates to repair a essential distant code execution (RCE) vulnerability in its SRX Collection firewalls and EX Collection switches.
The problem, tracked as CVE-2024-21591, is rated 9.8 on the CVSS scoring system.
“An out-of-bounds write vulnerability in J-Net of Juniper Networks Junos OS SRX Collection and EX Collection permits an unauthenticated, network-based attacker to trigger a Denial-of-Service (DoS) or Distant Code Execution (RCE) and acquire root privileges on the machine,” the corporate stated in an advisory.
The networking gear main, which is about to be acquired by Hewlett Packard Enterprise (HPE) for $14 billion, stated the problem is attributable to use of an insecure perform permitting a foul actor to overwrite arbitrary reminiscence.
The flaw impacts the next variations, and has been mounted in variations 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later –
- Junos OS variations sooner than 20.4R3-S9
- Junos OS 21.2 variations sooner than 21.2R3-S7
- Junos OS 21.3 variations sooner than 21.3R3-S5
- Junos OS 21.4 variations sooner than 21.4R3-S5
- Junos OS 22.1 variations sooner than 22.1R3-S4
- Junos OS 22.2 variations sooner than 22.2R3-S3
- Junos OS 22.3 variations sooner than 22.3R3-S2, and
- Junos OS 22.4 variations sooner than 22.4R2-S2, 22.4R3
As momentary workarounds till the fixes are deployed, the corporate recommends that customers disable J-Net or limit entry to solely trusted hosts.
Additionally resolved by Juniper Networks is a high-severity bug in Junos OS and Junos OS Advanced (CVE-2024-21611, CVSS rating: 7.5) that might be weaponized by an unauthenticated, network-based attacker to trigger a DoS situation.
Whereas there’s proof that the vulnerabilities are being exploited within the wild, a number of security shortcomings affecting the corporate’s SRX firewalls and EX switches had been abused by menace actors final 12 months.
