{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-065.pdf"
    },
    "title": "Critical Vulnerability in Juniper Networks Products",
    "serial_number": "2024-065",
    "publish_date": "01-07-2024 09:49:52",
    "description": "On June 27, 2024, Juniper Networks issued an advisory about a critical vulnerability, CVE-2024-2973, affecting Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. This vulnerability allows an attacker to bypass authentication and gain full control of the device, primarily affecting high-availability redundant configurations.<br>\nIt is recommended to update affected devices immediately.<br>\n",
    "url_title": "2024-065",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in\u00a0Juniper\u00a0Networks\u00a0Products'\nnumber: '2024-065'\nversion: '1.0'\noriginal_date: 'June 27, 2024'\ndate: 'July 1, 2024'\n---\n\n_History:_\n\n* _01/07/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn June 27, 2024, Juniper Networks issued an advisory about a critical vulnerability, **CVE-2024-2973**, affecting Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. This vulnerability allows an attacker to bypass authentication and gain full control of the device, primarily affecting high-availability redundant configurations [1].\n\nIt is recommended to update affected devices immediately.\n\n# Technical Details\n\nThe vulnerability, **CVE-2024-2973**, is an authentication bypass using an alternate path or channel. It affects Juniper Networks SSR and Conductor running in high-availability configurations, allowing attackers to bypass authentication and take control of the device [1].\n\n# Affected Products\n\n- Session Smart Router & Conductor:\n- \n  - All versions before 5.6.15\n  - 6.0 before 6.1.9-lts\n  - 6.2 before 6.2.5-sts\n\n- WAN Assurance Router:\n- \n  - 6.0 versions before 6.1.9-lts\n  - 6.2 versions before 6.2.5-sts\n\n# Recommendations\n\nCERT-EU recommends updating affected devices to the latest versions as soon as possible.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>01/07/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On June 27, 2024, Juniper Networks issued an advisory about a critical vulnerability, <strong>CVE-2024-2973</strong>, affecting Session Smart Router (SSR), Session Smart Conductor, and WAN Assurance Router products. This vulnerability allows an attacker to bypass authentication and gain full control of the device, primarily affecting high-availability redundant configurations [1].</p><p>It is recommended to update affected devices immediately.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability, <strong>CVE-2024-2973</strong>, is an authentication bypass using an alternate path or channel. It affects Juniper Networks SSR and Conductor running in high-availability configurations, allowing attackers to bypass authentication and take control of the device [1].</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Session Smart Router &amp; Conductor:</li><li><ul><li>All versions before 5.6.15</li><li>6.0 before 6.1.9-lts</li><li>6.2 before 6.2.5-sts</li></ul></li><p><li><p>WAN Assurance Router:</p></li><li></p><ul><li>6.0 versions before 6.1.9-lts</li><li>6.2 versions before 6.2.5-sts</li></ul></li><p></ul></p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating affected devices to the latest versions as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/\">https://www.bleepingcomputer.com/news/security/juniper-releases-out-of-cycle-fix-for-max-severity-auth-bypass-flaw/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}