Juniper Networks has disclosed a critical vulnerability (CVE-2024-2973) affecting its Session Smart Router (SSR) and Session Smart Conductor products.
The flaw allows network-based attackers to bypass authentication and gain complete control of the device in high-availability redundant configurations.
CVE-2024-2973: Critical Authentication Bypass Vulnerability
The vulnerability, identified as an “Authentication Bypass Using an Alternate Path or Channel,” impacts SSR and Conductor devices running in redundant peer setups.
Attackers can exploit this flaw to bypass API authentication, posing a significant security risk.
Affected Products and Versions
The issue affects the following versions:
- All versions before 5.6.15
- Versions from 6.0 before 6.1.9-lts
- Versions from 6.2 before 6.2.5-sts
- All versions before 5.6.15
- Versions from 6.0 before 6.1.9-lts
- Versions from 6.2 before 6.2.5-sts
- Versions 6.0 before 6.1.9-lts
- Versions 6.2 before 6.2.5-sts
Juniper Networks has released updated software versions to address this vulnerability: Session Smart Router – SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
For Conductor-managed deployments, upgrading the Conductor nodes will automatically apply the fix to all connected routers.
However, it is still recommended that the routers be upgraded to a fixed version to ensure complete protection.
The patch has been applied automatically for WAN Assurance routers connected to the Mist Cloud.
Systems in a High-Availability cluster should be upgraded to SSR-6.1.9 or SSR-6.2.5 as soon as possible.
The fix’s application is non-disruptive to production traffic, with only a brief downtime (less than 30 seconds) for web-based management and APIs.
Juniper Networks advises all affected users to upgrade their systems promptly to mitigate the risk posed by this vulnerability.
Stay in the loop with the latest in cybersecurity by following us on Linkedin and X for daily updates!