BREAKING AT&T Data Breach: ‘Nearly All’ Wireless Customers Exposed in Massive Hack
Connect with us

Hi, what are you looking for?



Juniper Networks Warns of Critical Authentication Bypass Vulnerability

Juniper Networks warns of a critical authentication bypass flaw impacting Session Smart routers and conductors.

Juniper Networks last week issued an out-of-cycle security bulletin to warn of a critical vulnerability leading to authentication bypass on Session Smart router and conductor products.

Tracked as CVE-2024-2973 (CVSS score of 10), the issue impacts all Session Smart routers and conductors running in high-availability redundant configurations, the company explains.

“An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or Conductor running with a redundant peer allows a network-based attacker to bypass authentication and take full control of the device,” Juniper Networks notes in its advisory.

According to the company, Session Smart router and connector versions before 5.6.15, 6.1.9-lts, and 6.2.5-sts are affected by CVE-2024-2973. WAN Assurance router versions before 6.1.9-lts, and 6.2.5-sts are vulnerable as well.

SSR-5.6.15, SSR-6.1.9-lts, SSR-6.2.5-sts, and subsequent releases address this vulnerability.

“It is suggested to upgrade all affected systems to these versions of software. In a Conductor-managed deployment, it is sufficient to upgrade the Conductor nodes only and the fix will be applied automatically to all connected routers. As practical, the routers should still be upgraded to a fixed version; however, they will not be vulnerable once they connect to an upgraded Conductor,” Juniper notes.

The company also explains that the vulnerability has been automatically resolved on affected devices for Mist managed WAN Assurance routers that are connected to the Mist cloud.

“It is important to note that the fix is applied automatically on managed routers by a Conductor or on WAN assurance routers has no impact on data-plane functions of the router. The application of the fix is non-disruptive to production traffic,” Juniper says.

Advertisement. Scroll to continue reading.

The update, however, might cause a downtime of less than 30 seconds to the web-based management and APIs.

Juniper Networks notes that there are no workarounds available for the vulnerability and that it is not aware of the flaw being exploited in attacks.

Related: Juniper Networks Publishes Dozens of New Security Advisories

Related: Juniper Networks Patches Vulnerabilities in Switches, Firewalls

Related: $2.5 Million Offered at Upcoming ‘Matrix Cup’ Chinese Hacking Contest

Related: Juniper Networks Patches Critical Remote Code Execution Flaw in Firewalls, Switches

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

ICS and OT cybersecurity solutions provider TXOne Networks appoints Stephen Driggers as new CRO

Identity orchestration provider Strata Identity appoints Aldo Pietropaolo as Field CTO

Cybersecurity provider for the aviation industry Cyviation has appointed Eliran Almog as Chief Executive Officer.

More People On The Move

Expert Insights