Juniper has disclosed a critical vulnerability that affects the Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products, posing a significant threat to network security.
The CVE-2024-2973 vulnerability with a CVSS Score of 10, classified as an Authentication Bypass Using an Alternate Path or Channel, stems from a design oversight in redundant router deployments. Attackers could exploit this weakness to circumvent authentication measures, granting them unfettered access to sensitive network configurations and potentially enabling further malicious activities.
The following Juniper Networks products are susceptible to CVE-2024-2973
- Session Smart Router: All versions prior to 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts.
- Session Smart Conductor: All versions prior to 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts.
- WAN Assurance Router: 6.0 versions before 6.1.9-lts and 6.2 versions before 6.2.5-sts.
Juniper strongly advises its customers to apply the available patches immediately. Updated software releases have been issued to address this vulnerability, including SSR-5.6.15, SSR-6.1.9-lts, and SSR-6.2.5-sts. While no workarounds are currently available, promptly upgrading to the patched versions is crucial to mitigate the risk of exploitation.
For Conductor-managed deployments, upgrading the Conductor nodes will automatically apply the fix to connected routers. WAN Assurance routers linked to the Mist Cloud have already received automatic patching.
