CVE-2024-39553

An Exposure of Resource to Wrong Sphere vulnerability in the sampling service of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to send arbitrary data to the device, which leads msvcsd process to crash with limited availability impacting Denial of Service (DoS) and allows unauthorized network access to the device, potentially impacting system integrity. This issue only happens when inline jflow is configured. This does not impact any forwarding traffic. The impacted services MSVCS-DB app crashes momentarily and recovers by itself. This issue affects Juniper Networks Junos OS Evolved: * 21.4 versions earlier than 21.4R3-S7-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO; * 22.3 versions earlier than 22.3R3-S2-EVO; * 22.4 versions earlier than 22.4R3-EVO; * 23.2 versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://supportportal.juniper.net/JSA79101

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-11 17:15

Updated : 2024-07-11 18:09

NVD link : CVE-2024-39553

Mitre link : CVE-2024-39553

CVE.ORG link : CVE-2024-39553

JSON object : View

Products Affected

No product.

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2024-39553", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "sirt@juniper.net", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "sirt@juniper.net", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "AUTOMATIC", "baseScore": 6.9, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:A/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "LOW", "vulnerableSystemAvailability": "LOW", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-07-11T17:15:16.620", "references": [{"url": "https://supportportal.juniper.net/JSA79101", "source": "sirt@juniper.net"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "sirt@juniper.net", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "An Exposure of Resource to Wrong Sphere vulnerability in the sampling service\u00a0of Juniper Networks Junos OS Evolved allows an unauthenticated network-based attacker to send arbitrary data to the device, which leads msvcsd process to crash with limited availability impacting Denial of Service (DoS) and allows unauthorized network access to the device, potentially impacting system integrity.\n\nThis issue only happens when inline jflow is configured.\n\nThis does not impact any forwarding traffic. The impacted services MSVCS-DB app crashes momentarily and recovers by itself.\u00a0\n\nThis issue affects Juniper Networks Junos OS Evolved:\u00a0\n * 21.4 versions earlier than 21.4R3-S7-EVO;\u00a0\n * 22.2 versions earlier than\u00a022.2R3-S3-EVO;\n * 22.3 versions earlier than 22.3R3-S2-EVO;\n * 22.4 versions earlier than 22.4R3-EVO;\n * 23.2 versions earlier than 23.2R1-S2-EVO, 23.2R2-EVO."}, {"lang": "es", "value": "Una vulnerabilidad de exposici\u00f3n de recursos a una esfera incorrecta en el servicio de muestreo de Juniper Networks Junos OS Evolved permite que un atacante basado en red no autenticado env\u00ede datos arbitrarios al dispositivo, lo que provoca que el proceso msvcsd falle con disponibilidad limitada, lo que afecta la denegaci\u00f3n de servicio (DoS) y permite el acceso no autorizado a la red al dispositivo, lo que podr\u00eda afectar la integridad del sistema. Este problema solo ocurre cuando se configura jflow en l\u00ednea. Esto no afecta el tr\u00e1fico de reenv\u00edo. La aplicaci\u00f3n MSVCS-DB de servicios afectados falla moment\u00e1neamente y se recupera por s\u00ed sola. Este problema afecta a Juniper Networks Junos OS Evolved: * Versiones 21.4 anteriores a 21.4R3-S7-EVO; * Versiones 22.2 anteriores a 22.2R3-S3-EVO; * Versiones 22.3 anteriores a 22.3R3-S2-EVO; * Versiones 22.4 anteriores a 22.4R3-EVO; * Versiones 23.2 anteriores a 23.2R1-S2-EVO, 23.2R2-EVO."}], "lastModified": "2024-07-11T18:09:58.777", "sourceIdentifier": "sirt@juniper.net"}