Juniper Networks has taken immediate action to address a critical vulnerability affecting some of its routers, known as CVE-2024-2973, which poses a severe security risk. This flaw, with a CVSS severity score of 10.0, has the potential to allow cyber attackers to bypass authentication measures and gain unauthorized control over the affected devices.
Specifically impacting Juniper Networks’ Session Smart Router and Conductor products when deployed with redundant peers, this vulnerability could be exploited by network-based attackers to circumvent authentication safeguards, ultimately compromising the entire device. To combat this threat, Juniper Networks released security updates to patch the vulnerability swiftly.
According to a recent advisory issued by Juniper Networks, the vulnerability, labeled as “An Authentication Bypass Using an Alternate Path or Channel,” can be exploited by a network-based attacker to bypass authentication and seize full control of the device. Products affected by this vulnerability include Session Smart Router versions before 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts, as well as Session Smart Conductor versions before 5.6.15, from 6.0 before 6.1.9-lts, and 6.2 before 6.2.5-sts. Additionally, WAN Assurance Router versions 6.0 before 6.1.9-lts and 6.2 before 6.2.5-sts are also impacted.
To address this critical security concern, Juniper Networks has released updated software versions that resolve the vulnerability. Users are strongly advised to upgrade affected systems to the patched releases, including SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent versions. For deployments managed by a Conductor, upgrading Conductor nodes will automatically apply the fix to connected routers, ensuring comprehensive protection.
Fortunately, Juniper Networks’ Security Incident Response Team (SIRT) has not identified any instances of malicious exploitation of CVE-2024-2973 in the wild. The vulnerability was discovered internally during routine security testing, prompting the company to swiftly address the issue and mitigate the risk. Users of MIST-managed WAN Assurance routers connected to the Mist Cloud have had the patch applied automatically to prevent potential exploitation, with minimal disruption to normal network operations expected during implementation.
Juniper Networks has confirmed that no other products or platforms in its portfolio are affected by this specific vulnerability, streamlining the update process for the identified router models. This incident underscores the importance of cybersecurity practices, with Juniper Networks’ proactive response through immediate patching and clear mitigation guidance serving as a model of industry best practices in mitigating router vulnerabilities. Users are strongly encouraged to update their systems promptly to the latest recommended versions to enhance their security posture against emerging threats.
Croatian 
English 
Albanian 
Serbian 