Juniper Rushes Out Emergency Patch for Critical Smart Router Flaw

Juniper Networks has released an emergency patch for a critical authentication bypass vulnerability that has been assigned the highest possible CVSS score of 10.

The vulnerability, tracked under CVE-2024-2973, affects the Juniper Networks Session Smart Router, Session Smart Conductor, and WAN Assurance Router, and could allow a threat actor to take full control of an unpatched device.

"Only Routers or Conductors that are running in high-availability redundant configurations are affected by this vulnerability," the emergency security advisory said.

The router flaw was found during internal security testing, and Juniper Networks added there is no evidence the bug has yet been exploited in the wild. The company recommended immediate updates to Session Smart Routers SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases. 

"In a Conductor-managed deployment, it is sufficient to upgrade the Conductor nodes only and the fix will be applied automatically to all connected routers," Juniper's advisory added. "As practical, the routers should still be upgraded to a fixed version however they will not be vulnerable once they connect to an upgraded Conductor."

Managed routers will be automatically updated, which won't impact any data plane router functions, Juniper assured its customers.

"The application of the fix is non-disruptive to production traffic," Juniper said. "There may be a momentary downtime (less than 30 seconds) to the web-based management and APIs however this will resolve quickly."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two ransomware negotiators about how they interact with cybercriminals; including how they brokered a deal to restore operations in a hospital NICU where lives were at stake; and how they helped a church, where the attackers themselves "got a little religion." Listen now!