JUNIPER Identifies Critical Authentication Bypass Vulnerability in Enterprise Routers, CVSS Score Hits Maximum

JUNIPER, a manufacturer of enterprise network devices, disclosed a critical security flaw over the last weekend in a security bulletin. The vulnerability, identified as CVE-2024-2973, allows for API authentication bypass with a CVSS rating of 10 out of 10.

This vulnerability enables attackers to bypass the authentication on Juniper Session Smart Routers, essentially allowing unauthorized access to the router and full control over it without requiring a username or password.

Given the severity of this flaw, Juniper has already released a security firmware update to address the issue. Enterprises utilizing Juniper enterprise routers are urged to upgrade to the latest firmware version immediately to ensure their networks are secure.

Affected Products and Firmware Versions:

• Session Smart Router: All versions prior to 5.6.15, versions 6.0 to 6.1.9-LTS, and versions 6.2 to 6.2.5-sts
• Session Smart Conductor: All versions prior to 5.6.15, versions 6.0 to 6.1.9-LTS, and versions 6.2 to 6.2.5-sts
• WAN Assurance Router: Series 6.0 versions prior to 6.1.9-LTS, and Series 6.2 versions prior to 6.2.5-sts

Solution:

• Session Smart Router firmware should be updated to versions SSR-5.6.15, SSR-6.1.9-LTS, SSR-6.2.5-STS, or later.

In deployments managed by Session Smart Conductor, only the Conductor nodes need to be upgraded. The fix will automatically apply to all connected routers. However, it is still recommended to update the routers to the latest firmware, as the vulnerability cannot be exploited once connected to an upgraded Conductor node.

Security Bulletin Address: 2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router (SSR)