// For flags

CVE-2024-30397

Junos OS: An invalid certificate causes a Denial of Service in the Internet Key Exchange (IKE) process

Severity Score

8.7
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

An Improper Check for Unusual or Exceptional Conditions vulnerability in the the Public Key Infrastructure daemon (pkid) of Juniper Networks Junos OS allows an unauthenticated networked attacker to cause Denial of Service (DoS).

The pkid is responsible for the certificate verification. Upon a failed verification, the pkid uses all CPU resources and becomes unresponsive to future verification attempts. This means that all subsequent VPN negotiations depending on certificate verification will fail.

This CPU utilization of pkid can be checked using this command:
  root@srx> show system processes extensive | match pkid
  xxxxx  root  103  0  846M  136M  CPU1  1 569:00 100.00% pkid

This issue affects:
Juniper Networks Junos OS
* All versions prior to 20.4R3-S10;
* 21.2 versions prior to 21.2R3-S7;
* 21.4 versions prior to 21.4R3-S5;
* 22.1 versions prior to 22.1R3-S4;
* 22.2 versions prior to 22.2R3-S3;
* 22.3 versions prior to 22.3R3-S1;
* 22.4 versions prior to 22.4R3;
* 23.2 versions prior to 23.2R1-S2, 23.2R2.

Una vulnerabilidad de verificación inadecuada de condiciones inusuales o excepcionales en el daemon de infraestructura de clave pública (pkid) de Juniper Networks Junos OS permite que un atacante en red no autenticado provoque una denegación de servicio (DoS). El pkid es responsable de la verificación del certificado. Tras una verificación fallida, el pkid utiliza todos los recursos de la CPU y deja de responder a futuros intentos de verificación. Esto significa que todas las negociaciones VPN posteriores que dependan de la verificación del certificado fallarán. Esta utilización de CPU de pkid se puede verificar usando este comando: root@srx> mostrar procesos del sistema extensos | coincide con pkid xxxxx root 103 0 846M 136M CPU1 1 569:00 100.00% pkid Este problema afecta a: Juniper Networks Junos OS Todas las versiones anteriores a 20.4R3-S10; Versiones 21.2 anteriores a 21.2R3-S7; Versiones 21.4 anteriores a 21.4R3-S5; Versiones 22.1 anteriores a 22.1R3-S4; Versiones 22.2 anteriores a 22.2R3-S3; Versiones 22.3 anteriores a 22.3R3-S1; Versiones 22.4 anteriores a 22.4R3; Versiones 23.2 anteriores a 23.2R1-S2, 23.2R2.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
None
None
Integrity
None
None
Availability
High
Low
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-03-26 CVE Reserved
  • 2024-04-12 CVE Published
  • 2024-04-21 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
< 20.4R3-S10
Search vendor "Juniper Networks" for product "Junos OS" and version " < 20.4R3-S10"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 21.2 < 21.2R3-S7
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 21.2 < 21.2R3-S7"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 21.4 < 21.4R3-S5
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 21.4 < 21.4R3-S5"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 22.1 < 22.1R3-S4
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 22.1 < 22.1R3-S4"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 22.2 < 22.2R3-S3
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 22.2 < 22.2R3-S3"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 22.3 < 22.3R3-S1
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 22.3 < 22.3R3-S1"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 22.4 < 22.4R3
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 22.4 < 22.4R3"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 23.2 < 23.2R1-S2
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 23.2 < 23.2R1-S2"
en
Affected
Juniper Networks
Search vendor "Juniper Networks"
Junos OS
Search vendor "Juniper Networks" for product "Junos OS"
>= 23.2 < 23.2R2
Search vendor "Juniper Networks" for product "Junos OS" and version " >= 23.2 < 23.2R2"
en
Affected