Juniper Networks has released an out-of-band security update to address a critical security flaw in some routers that could lead to an authentication bypass.
The vulnerability, tracked as CVE-2024-2973, has a CVSS score of 10.0, indicating the maximum severity.
“Juniper Networks Session Smart Routers or Conductors operating with redundant peers contain an authentication bypass vulnerability using alternate paths or channels that could allow a network-based attacker to bypass authentication and take complete control of the device,” the company said in an advisory issued last week.
According to Juniper Networks, the flaw only affects routers or conductors running in a high-availability redundant configuration. A list of affected devices is below:
- Session Smart Router (before version 5.6.15, before version 6.0, before version 6.1.9-lts, before version 6.2, before version 6.2.5-sts)
- Session Smart Conductor (before version 5.6.15, before version 6.0, before version 6.1.9-lts, before version 6.2, before version 6.2.5-sts)
- WAN Assurance Routers (6.0 versions prior to 6.1.9-lts and 6.2 versions prior to 6.2.5-sts)
The networking equipment maker, which was acquired by Hewlett Packard Enterprise earlier this year for roughly $14 billion, said it had found no evidence that the vulnerability had been exploited in the wild.
The company also said it discovered the vulnerability during internal product testing but did not have a workaround that would fix the issue.
“This vulnerability has been automatically fixed for affected devices that are Mist-managed WAN Assurance routers connected to the Mist Cloud,” the company further noted. “Please note that the fix is automatically applied to Conductor-managed or WAN Assurance routers and does not impact the dataplane functionality of the router.”
In January 2024, the company also released a fix for a critical vulnerability in the product (CVE-2024-21591, CVSS score: 9.8), which could allow an attacker to cause a denial of service (DoS) attack or remote code execution and gain root privileges on the device.
Multiple security flaws affecting the company’s SRX firewalls and EX switches were weaponized by threat actors last year, making it essential that users apply patches to protect against potential threats.