CVE-2024-21609Missing Release of Memory after Effective Lifetime in Networks Junos OS

CWE-401Missing Release of Memory after Effective Lifetime4 documents4 sources
Severity
7.1HIGHNVD
EPSS
0.1%
top 80.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Juniper Networks Junos OSJuniper Junos
Timeline
PublishedApr 12

Description

A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and SRX Series allows an administratively adjacent attacker which is able to successfully establish IPsec tunnels to cause a Denial of Service (DoS). If specific values for the IPsec parameters local-ip, remote-ip, remote ike-id, and traffic selectors are sent from the peer, a memory leak occurs during every IPsec SA rekey which is carried out with a s

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L

Affected Packages2 packages

CVEListV5juniper_networks/junos_os21.221.2R3-S7+8
NVDjuniper/junos< 20.4+9

🔴Vulnerability Details

2
GHSA
GHSA-rh3c-7xc7-jjwj: A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and S2024-04-12
CVEList
Junos OS: MX Series with SPC3, and SRX Series: If specific IPsec parameters are negotiated iked will crash due to a memory leak2024-04-12

📋Vendor Advisories

1
Juniper
CVE-2024-21609: A Missing Release of Memory after Effective Lifetime vulnerability in the IKE daemon (iked) of Juniper Networks Junos OS on MX Series with SPC3, and S2024-04-12
CVE-2024-21609 — Networks Junos OS vulnerability | cvebase