Juniper Releases Emergency Fix for Maximum-Severity Flaw – Source: www.databreachtoday.com

Governance & Risk Management
,
Network Firewalls, Network Access Control
,
Patch Management

Vulnerability Can Allow Authentication Bypass; No Evidence of Exploitation Yet

Rashmi Ramesh (rashmiramesh_) •
July 1, 2024    

Juniper Networks released an out-of-band fix for a maximum-severity vulnerability that can allow hackers to bypass authentication in three Juniper products.

See Also: Cosmos Full Show

The networking equipment maker said it did not find evidence that hackers have exploited the flaw in its Session Smart Router and Conductor and WAN Assurance Router products.

The CVSS 10-rated bug, tracked as CVE-2024-2973, could allow an attacker to take full control of the compromised system.

Juniper advised upgrading routers run by the Session Smart Conductor platform to automatically apply the security fix to the connected devices, after which it recommends that users check the patch application for each router individually. The patch will be applied to the WAN Assurance Routers automatically if they’re managed by cloud platform Juniper Mist.

The company said there are no workarounds for the issue, which was discovered during internal product testing.

The vulnerability only affects routers and conductors running in high-availability redundant configurations – solutions where service continuity is critical. This means that the vulnerable configuration, used in network infrastructure in enterprises, data centers, critical infrastructure organizations and government services, could cause severe disruption.

Hackers have in the past exploited vulnerabilities days after Juniper published details about them. On the heels of Juniper’s action, the U.S. Cybersecurity and Infrastructure Security Agency told federal agencies to patch within four days.

The vendor in the latest update said applying the fix would not disrupt the production traffic, but it could cause a 30-second downtime for web-based management and APIs.