Juniper Networks has disclosed a critical vulnerability identified as CVE-2024-2973, affecting its Session Smart Router (SSR) and Session Smart Conductor products. This flaw, classified as an “Authentication Bypass Using an Alternate Path or Channel,” allows network-based attackers to bypass API authentication in devices running in redundant peer setups. Exploiting this vulnerability, attackers could gain complete control over the affected devices, posing a significant security risk.
The vulnerability impacts several versions of the Session Smart Router and Conductor. Specifically, all versions before 5.6.15, versions from 6.0 before 6.1.9-lts, and versions from 6.2 before 6.2.5-sts are affected. Juniper Networks has addressed this issue by releasing updated software versions: SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases. It is recommended that users upgrade to these fixed versions to ensure complete protection.
For Conductor-managed deployments, upgrading the Conductor nodes will automatically apply the fix to all connected routers. However, it is still advised that the routers themselves be upgraded to the fixed versions for full security assurance. For WAN Assurance routers connected to the Mist Cloud, the patch has been applied automatically, ensuring these systems are protected against the vulnerability.
The application of these fixes is designed to be non-disruptive to production traffic, with only a brief downtime of less than 30 seconds for web-based management and APIs. Juniper Networks strongly advises all affected users to upgrade their systems promptly to mitigate the risk posed by this critical vulnerability. This proactive measure is essential to maintaining the security and integrity of their network infrastructure.
Reference:
