Governance & Risk Management , Network Firewalls, Network Access Control , Patch Management

Juniper Releases Emergency Fix for Maximum-Severity Flaw

Vulnerability Can Allow Authentication Bypass; No Evidence of Exploitation Yet
Juniper Releases Emergency Fix for Maximum-Severity Flaw
This Juniper Session Smart Router needs a patch ASAP. (Image: Juniper Networks)

Juniper Networks released an out-of-band fix for a maximum-severity vulnerability that can allow hackers to bypass authentication in three Juniper products.

See Also: Webinar | Minimizing the Attack Surface Through Zero Trust Network Access

The networking equipment maker said it did not find evidence that hackers have exploited the flaw in its Session Smart Router and Conductor and WAN Assurance Router products.

The CVSS 10-rated bug, tracked as CVE-2024-2973, could allow an attacker to take full control of the compromised system.

Juniper advised upgrading routers run by the Session Smart Conductor platform to automatically apply the security fix to the connected devices, after which it recommends that users check the patch application for each router individually. The patch will be applied to the WAN Assurance Routers automatically if they're managed by cloud platform Juniper Mist.

The company said there are no workarounds for the issue, which was discovered during internal product testing.

The vulnerability only affects routers and conductors running in high-availability redundant configurations - solutions where service continuity is critical. This means that the vulnerable configuration, used in network infrastructure in enterprises, data centers, critical infrastructure organizations and government services, could cause severe disruption.

Hackers have in the past exploited vulnerabilities days after Juniper published details about them. On the heels of Juniper's action, the U.S. Cybersecurity and Infrastructure Security Agency told federal agencies to patch within four days.

The vendor in the latest update said applying the fix would not disrupt the production traffic, but it could cause a 30-second downtime for web-based management and APIs.


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing devicesecurity.io, you agree to our use of cookies.