CVE-2024-39537

11.07.2024, 17:15

An Improper Restriction of Communication Channel to Intended Endpoints vulnerability in Juniper Networks Junos OS Evolved on ACX 7000 Series allows an unauthenticated, network-based attacker to cause a limited information disclosure and availability impact to the device.



Due to a wrong initialization, specific processes which should only be able to communicate internally within the device can be reached over the network via open ports.




This issue affectsJunos OS Evolved on ACX 7000 Series:



  *  All versions before 21.4R3-S7-EVO,
  *  22.2-EVO 

versions 

before 22.2R3-S4-EVO,
  *  22.3-EVO versions before 22.3R3-S3-EVO,
  *  22.4-EVO versions before 22.4R3-S2-EVO,
  *  23.2-EVO versions before 23.2R2-EVO,
  *  23.4-EVO versions before 23.4R1-S1-EVO, 23.4R2-EVO.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
juniper	CNA	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
juniper	junos_os_evolved	22.2r3-s4 < 𝑥 < 22.2r3-s4
juniper	junos_os_evolved	22.3r3-s3 < 𝑥 < 22.3r3-s3
juniper	junos_os_evolved	22.4r3-s2 < 𝑥 < 22.4r3-s2
juniper	junos_os_evolved	23.2r2 < 𝑥 < 23.2r2
juniper	junos_os_evolved	23.4r1-s1 < 𝑥 < 23.4r1-s1
juniper	junos_os_evolved	23.4r2 < 𝑥 < 23.4r2
juniper	junos_os_evolved	𝑥 < 21.4r3-s7

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

References

https://supportportal.juniper.net/JSA82997