gsd-2024-30397
Vulnerability from gsd
Modified
2024-04-03 05:02
Details
An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS). The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail. This CPU utilization of pkid can be checked using this command:   root@srx> show system processes extensive | match pkid   xxxxx  root  103  0  846M  136M  CPU1  1 569:00 100.00% pkid This issue affects: Juniper Networks Junos OS All versions prior to 20.4R3-S10; 21.2 versions prior to 21.2R3-S7; 21.4 versions prior to 21.4R3-S5; 22.1 versions prior to 22.1R3-S4; 22.2 versions prior to 22.2R3-S3; 22.3 versions prior to 22.3R3-S1; 22.4 versions prior to 22.4R3; 23.2 versions prior to 23.2R1-S2, 23.2R2.
Aliases



{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-30397"
      ],
      "details": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the the\u00a0Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).\n\nThe pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.\n\nThis CPU utilization of pkid can be checked using this command: \n\u00a0 root@srx\u003e show system processes extensive | match pkid\n\u00a0 xxxxx \u2003root \u2003103\u2003 0 \u2003846M \u2003136M \u2003CPU1 \u20031\u00a0569:00 100.00% pkid\n\nThis issue affects:\nJuniper Networks Junos OS\nAll\u00a0versions prior to 20.4R3-S10;\n21.2 versions prior to 21.2R3-S7;\n21.4 versions prior to 21.4R3-S5;\n22.1 versions prior to 22.1R3-S4;\n22.2 versions prior to\u00a022.2R3-S3;\n22.3 versions prior to\u00a022.3R3-S1;\n22.4 versions prior to\u00a022.4R3;\n23.2 versions prior to\u00a023.2R1-S2, 23.2R2.\n\n",
      "id": "GSD-2024-30397",
      "modified": "2024-04-03T05:02:29.311775Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "sirt@juniper.net",
        "ID": "CVE-2024-30397",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Junos OS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "20.4R3-S10"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.2",
                          "version_value": "21.2R3-S7"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "21.4",
                          "version_value": "21.4R3-S5"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.1",
                          "version_value": "22.1R3-S4"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.2",
                          "version_value": "22.2R3-S3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.3",
                          "version_value": "22.3R3-S1"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "22.4",
                          "version_value": "22.4R3"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "23.2",
                          "version_value": "23.2R1-S2, 23.2R2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Juniper Networks"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "To be affected by this issue, the following configuration is required on the device:\u003cbr\u003e\u0026nbsp; [ security ike proposal \u0026lt;name\u0026gt;authentication-method rsa-signatures ]\u003cbr\u003e"
            }
          ],
          "value": "To be affected by this issue, the following configuration is required on the device:\n\u00a0 [ security ike proposal \u003cname\u003eauthentication-method rsa-signatures ]\n"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the the\u00a0Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).\n\nThe pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.\n\nThis CPU utilization of pkid can be checked using this command: \n\u00a0 root@srx\u003e show system processes extensive | match pkid\n\u00a0 xxxxx \u2003root \u2003103\u2003 0 \u2003846M \u2003136M \u2003CPU1 \u20031\u00a0569:00 100.00% pkid\n\nThis issue affects:\nJuniper Networks Junos OS\nAll\u00a0versions prior to 20.4R3-S10;\n21.2 versions prior to 21.2R3-S7;\n21.4 versions prior to 21.4R3-S5;\n22.1 versions prior to 22.1R3-S4;\n22.2 versions prior to\u00a022.2R3-S3;\n22.3 versions prior to\u00a022.3R3-S1;\n22.4 versions prior to\u00a022.4R3;\n23.2 versions prior to\u00a023.2R1-S2, 23.2R2.\n\n"
          }
        ]
      },
      "exploit": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
            }
          ],
          "value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
        }
      ],
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-754",
                "lang": "eng",
                "value": "CWE-754 Improper Check for Unusual or Exceptional Conditions"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (DoS)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://supportportal.juniper.net/JSA79179",
            "refsource": "MISC",
            "url": "https://supportportal.juniper.net/JSA79179"
          },
          {
            "name": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "refsource": "MISC",
            "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The following software releases have been updated to resolve this specific issue: 20.4R3-S10, 21.2R3-S7, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases.\n"
            }
          ],
          "value": "The following software releases have been updated to resolve this specific issue: 20.4R3-S10, 21.2R3-S7, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S1, 22.4R3, 23.2R1-S2, 23.2R2, 23.4R1, and all subsequent releases.\n"
        }
      ],
      "source": {
        "advisory": "JSA79179",
        "defect": [
          "1745288"
        ],
        "discovery": "USER"
      },
      "work_around": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThere are no known workarounds for this issue.\u003c/p\u003e"
            }
          ],
          "value": "There are no known workarounds for this issue."
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the the\u00a0Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).\n\nThe pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.\n\nThis CPU utilization of pkid can be checked using this command: \n\u00a0 root@srx\u003e show system processes extensive | match pkid\n\u00a0 xxxxx ?root ?103? 0 ?846M ?136M ?CPU1 ?1\u00a0569:00 100.00% pkid\n\nThis issue affects:\nJuniper Networks Junos OS\nAll\u00a0versions prior to 20.4R3-S10;\n21.2 versions prior to 21.2R3-S7;\n21.4 versions prior to 21.4R3-S5;\n22.1 versions prior to 22.1R3-S4;\n22.2 versions prior to\u00a022.2R3-S3;\n22.3 versions prior to\u00a022.3R3-S1;\n22.4 versions prior to\u00a022.4R3;\n23.2 versions prior to\u00a023.2R1-S2, 23.2R2.\n\n"
          },
          {
            "lang": "es",
            "value": "Una vulnerabilidad de verificaci\u00f3n inadecuada de condiciones inusuales o excepcionales en el daemon de infraestructura de clave p\u00fablica (pkid) de Juniper Networks Junos OS permite que un atacante en red no autenticado provoque una denegaci\u00f3n de servicio (DoS). El pkid es responsable de la verificaci\u00f3n del certificado. Tras una verificaci\u00f3n fallida, el pkid utiliza todos los recursos de la CPU y deja de responder a futuros intentos de verificaci\u00f3n. Esto significa que todas las negociaciones VPN posteriores que dependan de la verificaci\u00f3n del certificado fallar\u00e1n. Esta utilizaci\u00f3n de CPU de pkid se puede verificar usando este comando: root@srx\u0026gt; mostrar procesos del sistema extensos | coincide con pkid xxxxx root 103 0 846M 136M CPU1 1 569:00 100.00% pkid Este problema afecta a: Juniper Networks Junos OS Todas las versiones anteriores a 20.4R3-S10; Versiones 21.2 anteriores a 21.2R3-S7; Versiones 21.4 anteriores a 21.4R3-S5; Versiones 22.1 anteriores a 22.1R3-S4; Versiones 22.2 anteriores a 22.2R3-S3; Versiones 22.3 anteriores a 22.3R3-S1; Versiones 22.4 anteriores a 22.4R3; Versiones 23.2 anteriores a 23.2R1-S2, 23.2R2."
          }
        ],
        "id": "CVE-2024-30397",
        "lastModified": "2024-04-15T13:15:51.577",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "sirt@juniper.net",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-04-12T16:15:39.267",
        "references": [
          {
            "source": "sirt@juniper.net",
            "url": "https://supportportal.juniper.net/JSA79179"
          },
          {
            "source": "sirt@juniper.net",
            "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
          }
        ],
        "sourceIdentifier": "sirt@juniper.net",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-754"
              }
            ],
            "source": "sirt@juniper.net",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.