CVE-2024-2973 (CVSS 10): Juniper Session Smart Router Authentication Bypass Vulnerability

In a recent cybersecurity advisory, Juniper Networks disclosed a critical vulnerability identified as CVE-2024-2973, which has earned a severity rating of 10 on the CVSS scale. This vulnerability affects the Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products, posing a significant threat to network security.

The CVE-2024-2973 vulnerability, classified as an Authentication Bypass Using an Alternate Path or Channel, stems from a design oversight in redundant router deployments. Attackers could exploit this weakness to circumvent authentication measures, granting them unfettered access to sensitive network configurations and potentially enabling further malicious activities.

The following Juniper Networks products are susceptible to CVE-2024-2973:

• Session Smart Router: All versions prior to 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts.
• Session Smart Conductor: All versions prior to 5.6.15, from 6.0 before 6.1.9-lts, and from 6.2 before 6.2.5-sts.
• WAN Assurance Router: 6.0 versions before 6.1.9-lts and 6.2 versions before 6.2.5-sts.

Juniper Networks strongly advises all users to apply the available patches immediately. Updated software releases have been issued to address this vulnerability, including SSR-5.6.15, SSR-6.1.9-lts, and SSR-6.2.5-sts.

For Conductor-managed deployments, upgrading the Conductor nodes will automatically apply the fix to connected routers. WAN Assurance routers linked to the Mist Cloud have already received automatic patching.

While no workarounds are currently available, promptly upgrading to the patched versions is crucial to mitigate the risk of exploitation. The patching process is designed to be non-disruptive, with minimal impact on production traffic and only a brief downtime for web-based management and APIs.