CVE-2024-2973 - Complete Takeover of Juniper Session Smart Routers & Conductors via HA Peer Auth Bypass
Summary:
A newly disclosed vulnerability (CVE-2024-2973) allows attackers to bypass authentication entirely on Juniper Networks Session Smart Router (SSR) and Conductor devices running in a high-availability (HA) redundancy configuration. Exploiting this bug means a remote attacker can gain full administrative control over the device — no password or valid credentials required.
This post will break down the vulnerability, how it works, who’s affected, and demonstrate (with code) how an attacker might take advantage of the flaw. If you’re running these Juniper products in redundant pairs, you must PATCH IMMEDIATELY.
What is CVE-2024-2973?
CVE-2024-2973 is an "Authentication Bypass Using an Alternate Path or Channel" vulnerability. In simple words: when two SSRs or Conductors are configured as a highly available (HA) redundant pair, there’s a backend communication channel meant only for peer HA traffic. This channel isn't properly secured, and an attacker on the network can pretend to be the HA peer, bypassing authentication and executing administrative commands.
Target any SSR or Conductor device running in HA mode.
2. The attacker sends fake 'peer' messages over the management or backend network—tricking the device into believing the attacker is its trusted HA peer.
3. All authentication is bypassed. This gives the attacker direct, privileged access—just like the real administrator or system peer.
This is classic "alternate channel" abuse. If your management or HA network isn’t fully isolated, *anyone on that network can take over your router or controller*.
Exploit Example: Bypassing Authentication
Here, we’ll walk through a hypothetical exploit. (No “real” code since the full protocol is proprietary, but this example shows what’s at stake.)
The HA communication is usually done over a TCP port on a private management VLAN. If an attacker can access this network, they can use a tool like Python socket to send a crafted message.
This is usually set by the network admin, sometimes visible in config files or via nmap port scans
nmap -p 50051,50052 <router-mgmt-ip>
> Note: Actual ports may differ; refer to your network configs.
2. Send a Faux Authentication Message
The SSR expects certain messages from its peer—often in JSON or protobuf. Let’s simulate it in Python:
import socket
# Replace these with target router's management IP and HA port (example: 50051)
target_ip = '192.168.1.10'
target_port = 50051
# Example peer "hello" message (format simplified)
fake_ha_handshake_message = b'\x00\x00\x00\x1f{"cmd":"peer_hello","auth":"none"}'
def send_fake_message(ip, port, message):
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((ip, port))
sock.sendall(message)
response = sock.recv(4096)
print("Got response:", response)
send_fake_message(target_ip, target_port, fake_ha_handshake_message)
If successful, the attacker may now be registered as a peer, and has full device control through further backend messages.
Hide persistence in HA sync logic
Anything the real admin (or system) can do, the attacker can do — and with *no* authentication.
Who Is at Risk?
Only SSR/Conductor/WAN Assurance Routers in highly available, redundant (HA) configurations.
How to Patch
- Session Smart Router/Conductor:
WAN Assurance Router:
- Same as above — 6.1.9-lts / 6.2.5-sts or newer.
Download and patch links:
- Official Juniper CVE-2024-2973 Advisory
- Juniper Software Downloads
References
- Juniper Security Advisory for CVE-2024-2973
- NIST NVD Entry
- Mitre CWE-288: Authentication Bypass Using an Alternate Path
BOTTOM LINE:
If you operate any Juniper SSR or Conductor in a redundant (HA) pair, this vulnerability lets anyone on the backend/management network break in, skip authentication, and completely take over your router or conductor. *Patch now. Do not expose management or HA ports to untrusted networks.*
Timeline
Published on: 06/27/2024 21:15:15 UTC
Last modified on: 07/02/2024 03:55:38 UTC