U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-21609

Change History

CVE Modified by Juniper Networks, Inc. 5/16/2024 4:15:09 PM

Action Type Old Value New Value
Changed Description
A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS).

If specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a specific message sequence. This will eventually result in an iked process crash and restart.

The iked process memory consumption can be checked using the below command:
  user@host> show system processes extensive | grep iked
           PID   USERNAME     PRI  NICE    SIZE    RES    STATE    C   TIME  WCPU COMMAND
           56903 root         31    0      4016M  2543M   CPU0     0   2:10  10.50% iked

This issue affects Juniper Networks Junos OS:
  *  All versions earlier than 20.4R3-S9;
  *  21.2 versions earlier than 21.2R3-S7;
  *  21.3 versions earlier than 21.3R3-S5;
  *  21.4 versions earlier than 21.4R3-S4;
  *  22.1 versions earlier than 22.1R3-S3;
  *  22.2 versions earlier than 22.2R3-S2;
  *  22.3 versions earlier than 22.3R3;
  *  22.4 versions earlier than 22.4R3;
  *  23.2 versions earlier than 23.2R1-S2, 23.2R2.


A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS).

If specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a specific message sequence. This will eventually result in an iked process crash and restart.

The iked process memory consumption can be checked using the below command:
  user@host> show system processes extensive | grep iked
           PID   USERNAME     PRI  NICE    SIZE    RES    STATE    C   TIME  WCPU COMMAND
           56903 root         31    0      4016M  2543M   CPU0     0   2:10  10.50% iked

This issue affects Juniper Networks Junos OS:
  *  All versions earlier than 20.4R3-S9;
  *  21.2 versions earlier than 21.2R3-S7;
  *  21.3 versions earlier than 21.3R3-S5;
  *  21.4 versions earlier than 21.4R3-S4;
  *  22.1 versions earlier than 22.1R3-S3;
  *  22.2 versions earlier than 22.2R3-S2;
  *  22.3 versions earlier than 22.3R3;
  *  22.4 versions earlier than 22.4R3;
  *  23.2 versions earlier than 23.2R1-S2, 23.2R2.
Added CVSS V4.0

								
							
							
						
Juniper Networks, Inc. CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Added Reference

								
							
							
						
Juniper Networks, Inc. https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L [No types assigned]
Removed Reference
Juniper Networks, Inc. https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N