CVE-2024-39536

A Missing Release of Memory after Effective Lifetime vulnerability in the Periodic Packet Management Daemon (ppmd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a Denial-of-Service (DoS). When a BFD session configured with authentication flaps, ppmd memory can leak. Whether the leak happens depends on a race condition which is outside the attackers control. This issue only affects BFD operating in distributed aka delegated (which is the default behavior) or inline mode. Whether the leak occurs can be monitored with the following CLI command: > show ppm request-queue FPC Pending-request fpc0 2 request-total-pending: 2 where a continuously increasing number of pending requests is indicative of the leak. This issue affects: Junos OS: * All versions before 21.2R3-S8, * 21.4 versions before 21.4R3-S7, * 22.1 versions before 22.1R3-S4, * 22.2 versions before 22.2R3-S4, * 22.3 versions before 22.3R3, * 22.4 versions before 22.4R2-S2, 22.4R3. Junos OS Evolved: * All versions before 21.2R3-S8-EVO, * 21.4-EVO versions before 21.4R3-S7-EVO, * 22.2-EVO versions before 22.2R3-S4-EVO, * 22.3-EVO versions before 22.3R3-EVO, * 22.4-EVO versions before 22.4R3-EVO.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.6 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://supportportal.juniper.net/JSA82996

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-11 17:15

Updated : 2024-07-12 15:15

NVD link : CVE-2024-39536

Mitre link : CVE-2024-39536

CVE.ORG link : CVE-2024-39536

JSON object : View

Products Affected

No product.

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

{"id": "CVE-2024-39536", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "sirt@juniper.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.6}], "cvssMetricV40": [{"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 6.0, "automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-11T17:15:11.190", "references": [{"url": "https://supportportal.juniper.net/JSA82996", "source": "sirt@juniper.net"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "sirt@juniper.net", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "A Missing Release of Memory after Effective Lifetime vulnerability in the Periodic Packet Management Daemon (ppmd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker to cause a \n\nDenial-of-Service (DoS).\n\n\nWhen a\u00a0BFD session configured with authentication flaps,\u00a0ppmd memory can leak. Whether the leak happens depends on a\u00a0race condition which is outside the attackers control. This issue only affects BFD operating in distributed aka delegated (which is the default behavior) or inline mode.\n\n\n\nWhether the leak occurs can be monitored with the following CLI command:\n\n> show ppm request-queue\n\n\nFPC \u00a0 \u00a0 Pending-request\nfpc0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a02\nrequest-total-pending: 2\n\n\nwhere a continuously increasing number of pending requests is indicative of the leak.\u00a0\n\n\n\n\n\n\n\n\nThis issue affects:\n\nJunos OS:\n\n\n * All versions before 21.2R3-S8,\n * 21.4 versions before 21.4R3-S7,\n * 22.1 versions before 22.1R3-S4,\n * 22.2 versions before 22.2R3-S4, \n * 22.3 versions before 22.3R3,\n * 22.4 versions before 22.4R2-S2, 22.4R3.\n\n\n\nJunos OS Evolved:\n * All versions before 21.2R3-S8-EVO,\n * 21.4-EVO versions before 21.4R3-S7-EVO,\n * 22.2-EVO versions before 22.2R3-S4-EVO,\n * 22.3-EVO versions before 22.3R3-EVO,\n * 22.4-EVO versions before 22.4R3-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de liberaci\u00f3n de memoria faltante despu\u00e9s de la vida \u00fatil efectiva en Periodic Packet Management Daemon (ppmd) de Juniper Networks Junos OS y Junos OS Evolved permite que un atacante adyacente no autenticado provoque una denegaci\u00f3n de servicio (DoS). Cuando una sesi\u00f3n BFD se configura con solapas de autenticaci\u00f3n, la memoria ppmd puede perderse. Que se produzca la fuga depende de una condici\u00f3n de ejecuci\u00f3n que est\u00e1 fuera del control de los atacantes. Este problema solo afecta a BFD que opera en modo distribuido, tambi\u00e9n conocido como delegado (que es el comportamiento predeterminado) o en l\u00ednea. Si se produce la fuga se puede monitorear con el siguiente comando CLI: > show ppm request-queue FPC Pending-request fpc0 2 request-total-pending: 2 donde un n\u00famero continuamente creciente de solicitudes pendientes es indicativo de la fuga. Este problema afecta a: Junos OS: * Todas las versiones anteriores a 21.2R3-S8, * Versiones 21.4 anteriores a 21.4R3-S7, * Versiones 22.1 anteriores a 22.1R3-S4, * Versiones 22.2 anteriores a 22.2R3-S4, * Versiones 22.3 anteriores a 22.3R3, * Versiones 22.4 anteriores a 22.4R2-S2, 22.4R3, * Versiones 23.1 anteriores a 23.1R2. Junos OS Evolved: * Todas las versiones anteriores a 21.2R3-S8-EVO, * Versiones 21.4-EVO anteriores a 21.4R3-S7-EVO, * Versiones 22.2-EVO anteriores a 22.2R3-S4-EVO, * Versiones 22.3-EVO anteriores a 22.3R3- EVO, *versiones 22.4-EVO anteriores a 22.4R3-EVO, *versiones 23.2-EVO anteriores a 23.2R1-EVO."}], "lastModified": "2024-07-12T15:15:11.040", "sourceIdentifier": "sirt@juniper.net"}