Juniper Rushes Out Emergency Patch for Critical Smart Router Flaw

Although not yet exploited in the wild, the max-critical authentication bypass bug could allow adversaries to take over unpatched Juniper Session Smart Routers and Conductors, and WAN Assurance Routers, the company warns.

Dark Reading Staff, Dark Reading

July 1, 2024

1 Min Read
Juniper Networks headquarters in California
Source: John Crowe via Alamy Stock Photo

Juniper Networks has released an emergency patch for a critical authentication bypass vulnerability that has been assigned the highest possible CVSS score of 10.

The vulnerability, tracked under CVE-2024-2973, affects the Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Router, and could allow a threat actor to take full control of an unpatched device.

"Only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability," the emergency security advisory said.

The router flaw was found during internal security testing, and Juniper Networks added there is no evidence the bug has yet been exploited in the wild. The company recommended immediate updates to Session Smart Routers SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases. 

"In a Conductor-managed deployment, it is sufficient to upgrade the Conductor nodes only and the fix will be applied automatically to all connected routers," Juniper's advisory added. "As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor."

Managed routers will be automatically updated, which won't impact any data plane router functions, Juniper assured its customers.

"The application of the fix is non-disruptive to production traffic," Juniper said. "There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs however this will resolve quickly."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights