gsd-2024-30378
Vulnerability from gsd
Modified
2024-04-03 05:02
Details
A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition.  The process crashes and restarts automatically. When specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash.  This process manages and controls the configuration of broadband subscriber sessions and services.  While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition. This issue only occurs if Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled. This issue affects Junos OS: * All versions before 20.4R3-S5, * from 21.1 before 21.1R3-S4, * from 21.2 before 21.2R3-S3, * from 21.3 before 21.3R3-S5, * from 21.4 before 21.4R3-S5, * from 22.1 before 22.1R3, * from 22.2 before 22.2R3, * from 22.3 before 22.3R2;
Aliases


To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-30378"
      ],
      "details": "A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition.\u00a0 The process crashes and restarts automatically.\n\nWhen specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash.\u00a0 This process manages and controls the configuration of broadband subscriber sessions and services.\u00a0 While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition.\n\nThis issue only occurs if\u00a0Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled.\nThis issue affects Junos OS:\n\n\n  *  All versions before 20.4R3-S5, \n  *  from 21.1 before 21.1R3-S4, \n  *  from 21.2 before 21.2R3-S3, \n  *  from 21.3 before 21.3R3-S5, \n  *  from 21.4 before 21.4R3-S5, \n  *  from 22.1 before 22.1R3, \n  *  from 22.2 before 22.2R3, \n  *  from 22.3 before 22.3R2;\n\n\n\n\n\n\n\n\n\n",
      "id": "GSD-2024-30378",
      "modified": "2024-04-03T05:02:29.111921Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "sirt@juniper.net",
        "ID": "CVE-2024-30378",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Junos OS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "20.4R3-S5"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.1",
                          "version_value": "21.1R3-S4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.2",
                          "version_value": "21.2R3-S3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.3",
                          "version_value": "21.3R3-S5"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.4",
                          "version_value": "21.4R3-S5"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.1",
                          "version_value": "22.1R3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.2",
                          "version_value": "22.2R3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.3",
                          "version_value": "22.3R2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Juniper Networks"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Subscriber Services (Broadband Edge) and GRES must be enabled to be vulnerable to this issue:\u003cbr\u003e \u003cbr\u003e \u003ctt\u003e[edit system services]\u003cbr\u003esubscriber-management enable; \u003cbr\u003e\u003cbr\u003e [edit chassis redundancy]\u003cbr\u003egraceful-switchover;\u003c/tt\u003e"
            }
          ],
          "value": "Subscriber Services (Broadband Edge) and GRES must be enabled to be vulnerable to this issue:\n \n [edit system services]\nsubscriber-management enable; \n\n [edit chassis redundancy]\ngraceful-switchover;"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition.\u00a0 The process crashes and restarts automatically.\n\nWhen specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash.\u00a0 This process manages and controls the configuration of broadband subscriber sessions and services.\u00a0 While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition.\n\nThis issue only occurs if\u00a0Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled.\nThis issue affects Junos OS:\n\n\n  *  All versions before 20.4R3-S5, \n  *  from 21.1 before 21.1R3-S4, \n  *  from 21.2 before 21.2R3-S3, \n  *  from 21.3 before 21.3R3-S5, \n  *  from 21.4 before 21.4R3-S5, \n  *  from 22.1 before 22.1R3, \n  *  from 22.2 before 22.2R3, \n  *  from 22.3 before 22.3R2;\n\n\n\n\n\n\n\n\n\n"
          }
        ]
      },
      "exploit": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
            }
          ],
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-416",
                "lang": "eng",
                "value": "CWE-416 Use After Free"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (DoS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://supportportal.juniper.net/JSA79109",
            "refsource": "MISC",
            "url": "https://supportportal.juniper.net/JSA79109"
          },
          {
            "name": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L",
            "refsource": "MISC",
            "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The following software releases have been updated to resolve this specific issue: Junos OS: 20.4R3-S5, 21.1R3-S4, 21.2R3-S3, 21.3R3-S5, 21.4R3-S5, 22.1R3, 22.2R3, 22.3R2, 22.4R1, and all subsequent releases.\u003cbr\u003e"
            }
          ],
          "value": "The following software releases have been updated to resolve this specific issue: Junos OS: 20.4R3-S5, 21.1R3-S4, 21.2R3-S3, 21.3R3-S5, 21.4R3-S5, 22.1R3, 22.2R3, 22.3R2, 22.4R1, and all subsequent releases.\n"
        }
      ],
      "source": {
        "advisory": "JSA79109",
        "defect": [
          "1688750"
        ],
        "discovery": "INTERNAL"
      },
      "work_around": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUse access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators.\u003c/p\u003e"
            }
          ],
          "value": "Use access lists or firewall filters to limit access to the CLI only from trusted hosts and administrators."
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "A Use After Free vulnerability in command processing of Juniper Networks Junos OS on MX Series allows a local, authenticated attacker to cause the broadband edge service manager daemon (bbe-smgd) to crash upon execution of specific CLI commands, creating a Denial of Service (DoS) condition.\u00a0 The process crashes and restarts automatically.\n\nWhen specific CLI commands are executed, the bbe-smgd daemon attempts to write into an area of memory (mgd socket) that was already closed, causing the process to crash.\u00a0 This process manages and controls the configuration of broadband subscriber sessions and services.\u00a0 While the process is unavailable, additional subscribers will not be able to connect to the device, causing a temporary Denial of Service condition.\n\nThis issue only occurs if\u00a0Graceful Routing Engine Switchover (GRES) and Subscriber Management are enabled.\nThis issue affects Junos OS:\n\n\n  *  All versions before 20.4R3-S5, \n  *  from 21.1 before 21.1R3-S4, \n  *  from 21.2 before 21.2R3-S3, \n  *  from 21.3 before 21.3R3-S5, \n  *  from 21.4 before 21.4R3-S5, \n  *  from 22.1 before 22.1R3, \n  *  from 22.2 before 22.2R3, \n  *  from 22.3 before 22.3R2;\n\n\n\n\n\n\n\n\n\n"
          },
          {
            "lang": "es",
            "value": "Una vulnerabilidad Use After Free en el procesamiento de comandos de Juniper Networks Junos OS en la serie MX permite que un atacante local autenticado provoque que el demonio del administrador de servicios de banda ancha (bbe-smgd) se bloquee al ejecutar comandos CLI espec\u00edficos, creando una condici\u00f3n de denegaci\u00f3n de servicio ( DoS). El proceso falla y se reinicia autom\u00e1ticamente. Cuando se ejecutan comandos CLI espec\u00edficos, el demonio bbe-smgd intenta escribir en un \u00e1rea de la memoria (socket mgd) que ya estaba cerrada, lo que provoca que el proceso falle. Este proceso gestiona y controla la configuraci\u00f3n de las sesiones y servicios de los suscriptores de banda ancha. Mientras el proceso no est\u00e9 disponible, los suscriptores adicionales no podr\u00e1n conectarse al dispositivo, lo que provocar\u00e1 una condici\u00f3n temporal de denegaci\u00f3n de servicio. Este problema solo ocurre si est\u00e1n habilitados Graceful Routing Engine Switchover (GRES) y Subscriber Management. Este problema afecta a Junos OS: * Todas las versiones anteriores a 20.4R3-S5, * desde 21.1 anterior a 21.1R3-S4, * desde 21.2 anterior a 21.2R3-S3, * desde 21.3 anterior a 21.3R3-S5, * desde 21.4 anterior a 21.4R3-S5 , * desde 22.1 antes de 22.1R3, * desde 22.2 antes de 22.2R3, * desde 22.3 antes de 22.3R2;"
          }
        ],
        "id": "CVE-2024-30378",
        "lastModified": "2024-04-17T12:48:31.863",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 3.6,
              "source": "sirt@juniper.net",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-04-16T20:15:09.680",
        "references": [
          {
            "source": "sirt@juniper.net",
            "url": "https://supportportal.juniper.net/JSA79109"
          },
          {
            "source": "sirt@juniper.net",
            "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L"
          }
        ],
        "sourceIdentifier": "sirt@juniper.net",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-416"
              }
            ],
            "source": "sirt@juniper.net",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.